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1.0 SUMMARY 


A preliminary hazards analysis of a nuclear reactor power system for 
surface power generation on the moon and Mars as part of the Space Exploration 
Initiative has been performed. The rigor and scope of the analysis was 
consistent with the conceptual state of the 1988 System Design Review SP-100 
Reference Flight System design for the potential applications and the current 
detail of the mission descriptions. The objective of the study was to 
identify potential hazards arising from nuclear reactor systems for use on the 
lunar and martian surfaces, related safety issues, and resolutions of such 
issues by system design changes, operating procedures, and other means. This 
study does not address safety issues for a reactor which is part of a 
propulsion system. However, the use of such a system will have an impact on 
the mission profile and this has been taken into account. 

All safety aspects of nuclear reactor systems from prelaunch ground 
handling to eventual disposal were examined consistent with the level of 
detail for SP-100 reactor design, launch vehicle and space transport vehicle 
designs, and mission descriptions. The analysis of missions to the moon and 
Mars has been conducted by concentrating on events not previously covered in 
past aerospace nuclear safety studies. Information from those previous 
aerospace nuclear safety studies was used where appropriate. 

Safety requirements for the SP-100 space nuclear reactor system were 
compiled from available published documents. Mission profiles for typical 
lunar and martian flights were defined with emphasis on activities after low 
earth orbit insertion. Accident scenarios were then qualitatively defined for 
the new mission phases. Safety issues were identified for all mission phases 
with the aid of simplified event trees. Safety issue resolution approaches of 
the SP-100 program were compiled. Resolution approaches for those safety 
issues not covered by the SP-100 program were identified. Additionally, the 
resolution approaches of the SP-100 program were examined in light of the moon 
and Mars missions. 

The key results of the study are summarized in Table 2-1. This table 
presents the governing requirements and the resolution approaches identified 
to meet the requirements. Each of the safety issues listed in Table 2-1 are 
summarized below including the resolution approaches. 

Decay Heat Removal 

The SP-100 Reference Flight System uses the primary coolant loop and the 
auxiliary coolant loop systems to remove decay heat from the reactor core 
after shutdown. These systems have been designed for operation in zero-g 
space. A steady state analysis was performed to determine the feasibility of 
designing a primary heat transport loop with the capability of removing 
reactor decay heat by natural convection. The study was based upon an SP-100 
reactor operating on the lunar surface with either a Brayton or a Stirling 
power conversion subsystem. Temperature differences developed across the 
reactor as a function of height and pipe diameter for one second and 50 
seconds after sliutdow.i were on the order of 100 C to 200 C for a configuration 
of 6 m from reactor to heat exchanger with 8 cm diameter pipe. Thus, 
excessive temperatures would not occur if the reactor design used natural 
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Safety Issue Requirement Resolution Approach 


Decay heat removal Low risk 


Reactor control Low risk 


Disposal Low risk 


Criticality Subcritical in 

all credible 

accident 

conditions 


End-of-life Low risk 

shutdown 


Radiation exposure ALARA 
release 


Mars environment Low risk 


High speed impact Low risk 
on the earth, moon 
and Mars 


Use containment vessel for loss of 
coolant accident; use natural 
convection otherwise. 

Investigate need for poison-backed 
reflectors to reduce backscattering 
by close proximity shielding. 

Use methods with minimum astronaut 
interaction; provide adequate long 
term safe disposal with minimum 
risk. 

Neutron absorbers; design to survive 
new launch and transport vehicle 
accident environments; use 
expendable launch vehicles so 
reactor is above solid rocket 
boosters. 

Automatic, single fault tolerant 
clock mechanism; irreversible power 
interruption to control actuators. 

Need radiation exposure limits and 
controls for all power sources 
(stationary and mobile); must 
consider all potential missions. 

Use reliable coatings on or 
isolation from the martian 
environment of refractory metals; 
consider using lower temperature 
materials (stainless steel, etc.) 
compatible with the martian 
environment. 

Design reactor to survive earth 
reentry intact; rely upon highly 
reliable transfer vehicle guidance 
systems for moon and Mars. 
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Table 1-1 

Summary of Resolution Approaches to Key Safety Issues of Nuclear Reactors as 
Planet Surface Power Systems for the Space Exploration Initiative 
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Safety Issue 

Requirement 

Resolution Approach 

Return flyby 
trajectories to the 
moon and Mars 

Low risk 

Eject nuclear reactor into space to 
avoid inadvertent earth reentry or 
design highly reliable transfer 
vehicle to accommodate excess return 
mass during earth orbit insertion. 


convection in the primary coolant loop should the secondary heat transfer loop 
fail to provide a heat sink. 


A potential method to accommodate a loss of coolant accident is 
containment of the primary coolant loop inside a guard vessel. The guard 
vessel would be designed so that the captured coolant would cover the reactor 
and decay heat would be rejected by heat pipes attached to the guard vessel 
wall. A cursory steady state thermal analysis for a lunar application 
resulted in a temperature drop from the reactor to the guard vessel on tne 
order of 525 C to 550 C. However, the analysis indicated that it is possible 
to remove the decay heat by boiling. For Mars, the pressure inside the guard 
vessel would have to be kept at or below the martian atmospheric pressure so 
that the lithium saturation temperature would be well below the normal 
operating temperature of the reactor. A transient analysis is required to 
estimate peak fuel cladding temperatures to verify this method of 
accommodating a loss of coolant accident. 

Reactor Control 

Reactor control with BeO reflectors may not be adequate for a man-rated 
reactor. Leakage out the reactor may be significantly reduced by a man-rated 
shield in close proximity to the reactor. Poison-backed reflectors may be 
required to reduce the backscattering produced by the shield. An analysis is 
required. 

Currently, the possibility of astronauts performing maintenance or 
repair activities is remote. As such, consideration should not be given to a 
reactor design which allows for replacement and maintenance of reflectors, 
safety rods, and reflector and rod drive mechanisms. 

Inadvertent reactor startup must be prevented by use of lock mechanisms 
to maintain shutdown rods inside the reactor core and reflectors in their 
least reactive position. 
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Disposal 


The problem of safe disposal of the used nuclear reactor core is a 
complex issue. The problem involves fuel and fission product containment, 
radiation exposure and diversion. Three disposal schemes were examined: 1) 

storage in place, 2) storage away from the power production area, and 3) 
insertion into a parabolic trajectory. Disposal by insertion into a parabolic 
trajectory from the moon and Mars has the potential for accidents during 
launch from the planet surface and boost from orbit around the planet. These 
accidents may leave the planet surface or the orbit contaminated. An 
unplanned retrieval from orbit will create circumstances for additional 
accidents and significant radiation exposure to astronauts if their presence 
is required. Disposal by launching the used reactor core to a nuclear safe 
orbit about the moon or Mars would result in the used reactor presenting a 
hazard for future flights. 

Lunar and Mars surface disposal, i.e., storage in place or away from the 
power production area, eliminates the hazards associated with schemes that 
require launching from the planet surface for disposal. However, 
environmental safety concerns become important for long periods of time. 

During long storage times, provisions must be made to restrict access to the 
storage areas and provide for passive decay heat removal. 

Any method of surface storage of the used nuclear reactor fuel would be 
dependent upon the need to remove the used core from the power production area 
for such purposes as reusing portions of the existing power system versus the 
ability to safely remove the used core without overexposing the astronauts or 
contaminating the environment while removing the spent fuel. This issue has 
been considered should the decision be made in the future to require the 
removal of the reactor from the vicinity of the base. A commitment to 
permanent human occupation of the lunar surface may require removal of the 
used reactors from the base area to avoid clustering these radioactive sources 
around the base. Spent fuel removal could be accomplished by means of robots 
to prevent astronaut exposure. Should the use of robots to remove the fuel 
fail, remedial efforts may be required; these should minimize astronaut 
exposure. Spent reactor fuel stored on Mars would be required to withstand 
the martian environment for many years. A risk assessment must be performed 
to assist in determining which disposal scheme is best. The disposal strategy 
must have minimum astronaut interaction and adequate long term safe storage 
with minimum risk. 

Criticality 

The SP-100 is being designed to remain subcritical during launch 
accidents by providing sufficient negative reactivity and the structural 
capability to retain this negative reactivity. Neutron absorber rods will be 
locked into place inside the reactor core at launch to be removed only upon 
the startup command. These rods have been designed to keep the reactor core 
subcritical under all postulated reactor configurations resulting from 
explosions, projectiles, fragments, and shrapnel. Hydrocode analyses by 
General Electric (Ref. I-l) hfvfj teen pe^'formed to verify the rods will remain 
in the reactor core during the explosion environments resulting from failures 
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of the space shuttle. Nuclear reactor accommodation of the explosion 
environments possible during any phase of the moon and Mars missions is not 
known at this time due to the lack of sufficient design detail of the launch, 
transfer, and excursion vehicles. The use of an expendable launch vehicle may 
eliminate solid rocket motor casing fragments as a safety concern since the 
reactor should be located above any fragment field generated in an explosion 
of the launch vehicle. 


Larger launch vehicles have been proposed for the moon and Mars 
missions. When sufficient design details are forthcoming, data characterizing 
the environments resulting from launch vehicle failures will have to be 
generated and compiled in the same manner as has been done for the Space 
Shuttle and the Titan IV. These new environments and failure rates will then 
be used to design the SP-100 or any other reactor to remain subcritical in 
these environments. The reactor system will be required to maintain 
subcriticality in the new launch vehicle explosion environments. 
prografn has shown that tho fuol and safety rod is maintained in the 

explosion environments radial implosion, lateral overpressure load against one 
side of the reactor, axial overpressure load, SRB fragment impact, shrapnel 
Impact, and secondary impact. 


End-of-Life Shutdown 

End-of-life shutdown is a safety issue because a nuclear reactor that 
fails to shutdown may preclude access to the power production site to emplace 
a replacement reactor. Final shutdown should be accomplished by a clock 
mechanism which will activate at a preset time set prior to operation. The 
clock mechanism must be single fault tolerant. It must operate independently 
of the reactor operating mode or the power conversion subsystem operation. It 
must also irreversibly interrupt the power supply to the reactor control 
drives, both safety rods and reflectors. 


Radiation Exposure 

Radiation exposure control during operation and maintenance will involve 
shielding, distance, and time wherever practical. The particular radiation 
exposure limits for astronauts has not been clearly defined. 

Radiation exposure controls for astronauts need to include the effects 
of all sources of natural and man-made radiation, both stationary and mobile. 
Past shielding studies for stationary and mobile systems have ignored the 
presence of sources of man-made radiation in addition to the reactor. An 
allocation of exposure to natural and man-made radiation is required. An 
analysis must be performed of potential astronaut activity on the surface of 
the moon and Mars to characterize the potential for exposure of the astronauts 
to man-made radiation sources. From this characterization, an optimum dose 
limit allocation between mobile and stationary man-made radiation sources can 
be made. 

The characterization of astronaut activities for the purpose of dose 
limit allocations must include all potential missions. A dose limit based 
upon a 30 day astronaut stay will result ir astronaut overexposure during the 
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600 day lunar mission dress rehearsal for the missions to Mars. Dose limits 
should be based upon the longest potential astronaut stay expected during the 
lifetime of the nuclear reactor surface power system. 

Dose limits have not been suggested based upon a realistic and complete 
set of dose plane locations. Dose limits for man-made radiation emanating 
from surface nuclear reactors have been proposed for the habitat area at 
various distances from the power production area (e.g., 1 km and 5 km), at 
arbitrary distances, and at the inner-most point of the radiator panels. 

Proper sizing and comparison of shielding alternatives will require the 
allocation of dose limits at prescribed locations. Various astronaut 
activities will require them to perform duties at the habitat area, at the 
launch/landing site, at the soil processing plant, and at locations away from 
the outpost which will require travel outside the protection of the habitat on 
surface rovers. A total dose limit must be recognized as the summation of the 
doses acquired from the various locations at which astronauts will be 
performing their duties. Also, dose limits should be separated into nominal 
and emergency limits. A nominal limit should reflect the diversity of duties 
required of an individual astronaut. Emergency limits should be set to 
reflect the availability of an excursion vehicle for outpost abandonment in 
addition to the consequences to the astronauts of power system failure. 

Mars Environment 

In addition to the COj atmosphere, the martian soil has been found to 
contain oxidants. The martian soil is periodically entrained and suspended in 
the atmosphere by surface winds. Also, HjSO* and HCl aerosols are believed to 
be present in the wind blown dust. Reactor materials will be required to 
withstand the COj atmosphere and these oxidants and acids during operation and 
long term storage if final disposal is on the surface of Mars. 

Research is required for material compatibility with the martian 
environment. Coatings such as silicide for refractory metals need to be 
investigated for long term reliability. Reactor designs using alternate 
materials, such as stainless steel, which operate at lower temperatures and 
are compatible with the martian environment need to be considered. Isolation 
of the refractory materials from the martian environment should be 
investigated as a potential solution. The refractory metals could be encased 
in a vessel which supports a vacuum or inert atmosphere between the outside 
vessel and the inner refractory materials, e.g., encase the primary coolant 
loop piping in a stainless steel tubing with a vacuum between them. 

Hioh Speed Impact on the Earth. Moon and Mars 

High speed impacts are possible during a flight to the moon or Mars. 

High speed impacts on the lunar and Mars surfaces may occur during moon/Mars 
orbit insertion and descent to the surface. They may also occur during 
launch from the earth and upon return to the earth should the space vehicle 
fail to orbit the moon or Mars and return to the earth. The issue of a return 
to earth without orbiting the moon or Mars is discussed below under the safety 
issue of return flyby trajectories. An .dditional possibility for lunar 
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surface impact may occur if nuclear electric propulsion is used and the trans- 
lunar orbit requires a gravity assist flyby of the moon. Impact speeds may be 
as high as planet approach velocities since the moon has no atmosphere and 
Mars has too little atmosphere to adequately slow down the spacecraft. The 
reactor is unlikely to survive such an impact on the moon or Mars. The risk 
to the mission from this type of accident will have to be estimated taking 
into account flight path angle, incoming velocity, and the aerobrakes. Highly 
reliable transfer vehicle guidance systems will minimize risk. The reactor 
must be designed to survive earth reentry so that the risk to the general 
population is insignificant. 

Return Flvbv Tra.iectories 

Flights to the moon and Mars are likely to use trans-lunar and trans- 
mars trajectories which will allow return to earth should the space vehicle 
propulsion system fail to function for orbit insertion. This type of 
trajectory would be failsafe. If a failure in the propulsion system used for 
orbit insertion around the moon or Mars is detected during the trans-lunar or 
trans-Mars trajectory phase of the mission or the system fails to operate when 
commanded, a return flyby trajectory would allow the space vehicle to return 
to earth with little or no additional thrusting for retrieval of astronauts 
and cargo. The propulsion system may be either chemical or nuclear. The term 
return flyby trajectory has been used to denote a trajectory from the earth to 
the moon or Mars which would not require a significant thrust at the moon or 
Mars to insert the space vehicle into a trajectory which will return the space 
vehicle to the earth. The returning space vehicle would contain the original 
cargo, including the surface power system reactor. The potential ®^ists for 
the returning space vehicle to reenter the earth's atmosphere should the 
propulsion system failure preclude an earth avoidance maneuver. Reactor earth 
reentry survival in a subcritical configuration will have to be guaranteed so 
that the risk to the general population is insignificant. 

The preferred resolution to reduce the risk to the general population to 
an insignificant level would be ejection of the nuclear reactor at some time 
in the return flyby trajectory when such an action poses very little threat to 
the general population. This would be the most likely means of reducing the 
threat since a return flyby trajectory would probably call for ejection of the 
cargo and unused propellant since transfer vehicles do not appear to be 
designed for insertion into low earth orbit with such a large mass. It is not 
clear that the propulsion system for the SEI space vehicles would be capable 
of earth orbit insertion with the full cargo. The return trajectory should 
have a perigee altitude of at least 1000 km in case ejection of the reactor 
fails. If ejection of the reactor is not possible, the transfer vehicles 
would have to be designed to accommodate this mission abort scenario. The 
transfer vehicle would have to be designed so that the aerobrake, or the 
attached excursion vehicle, could safely insert the spacecraft into orbit 
about the earth. The particular flight maneuvers associated with earth orbit 
insertion should be chosen to minimize risk to the general population. 

Because the reactor will not be operated until it is emplaced on the surface 
of the moon or Mars, mission risk will not be aggravated by a fission product 
inventory. The safety issue of a nuclear propulsion system as part of this 
returning space vehicle was not addressed since it wac outside the scope of 
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this task. 

Loss of Power to Habitat 


This Issue Is not normally considered a nuclear safety issue. It has 
been Included here because it does have an impact on the safety of the 
astronauts. The following discussion will have some application to any 
central power system used on the moon and Mars. 

In all cases where the nuclear reactor is shutdown due to a failure and 
in some cases where power is reduced, the habitat will not have sufficient 
power to maintain life support systems. It is the responsibility of the power 
system designer to prevent a power system response which will place the 
astronauts in a life threatening situation. An uninterruptible power source 
must be provided which will maintain minimum life support capabilities. 

Habitat power requirements in the case of nuclear reactor shutdown or 
power-down will be time dependent based upon the response of the habitat life 
support systems to a loss of power. An analysis must be performed to identify 
the power needs of systems after a nuclear reactor power system shutdown or 
power reduction. 

A reliability, availability, and maintainability (RAM) analysis is 
required of all surface power systems (including extravehicular mobility 
units) with respect to meeting the life support requirements of the 
astronauts. These life support requirements would include maintenance of the 
excursion vehicle to provide the astronauts the option to abandon the outpost. 
The goals of the RAM analysis must be consistent with the purpose of the 
outpost and the restrictions placed upon any emergency options due to the 
remoteness of the outpost from earth and the harsh environment in which the 
outpost exists. 

Reactors designed for low earth orbit applications are typically 
required to meet reliability goals. Reliability goals are used for systems 
which are not repairable. The nuclear reactor power system for the moon and 
Mars may have some degree of repairability. Also, the availability of power 
to the astronauts is most important. As such, it would seem that an 
availability goal is more appropriate. A nuclear power system should be 
designed with an availability goal(s) for power to sustain life support 
systems and other vital power consumers as a part of a total power management 
and distribution system of stationary and mobile power sources. A RAM 
analysis is advised. 

Recoiwnendations 

The scope of this study was to identify safety issues associated with 
the use of nuclear reactors as lunar and martian surface power systems for the 
Space Exploration Initiative. Resolution approaches to the safety issues were 
identified without an extensive analytical assessment. Resolution options 
were selected based upon previous analyses as appropriate. Where there was 
inadequate information, data requirements and the methods to acquire the data 
were identified. The following paragraphs discuss fol'iow-on tasics. 
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Shielding options cannot be properly evaluated at this point in the 
Space Exploration Initiative. There is no comprehensive criteria against 
which to evaluate and select the best option. A study should be performed to 
characterize astronaut activities for the purpose of establishing dose limit 
allocations. This study would define a global dose limit and then proceed to 
allocate portions of this limit to the various activities astronauts will 
perform. Admittedly, there is not enough data for a definitive set of 
criteria, but there is enough data on mission activities to perform a 
parametric analysis with the intent to bound the solution and reduce the 
number of options. Additional data requirements can be identified. Shielding 
impacts on mission activities can be identified to eliminate the potential for 
dose requirements that would eliminate critical mission elements. 


The next step in evaluating mission risk would be the construction of 
complete event trees with projected accident probabilities based upon the best 
available failure rate data on the launch vehicle and the space vehicles used 
to transfer the reactor from earth orbit to the surface of the moon or Mars. 
This step would identify failure rate data requirements. All mission phases 
would be analyzed to allow a comprehensive comparison. Missing data could be 
provided by data on similar systems and components operating in similar 
environments. In combination with estimates of radiation source terms, the 
event trees would be used to identify high risk contributors, by using a 
relative risk index, that may have a large impact on nuclear reactor and power 
conversion system design. The relative risk evaluation would begin the 
process of identifying dominant mission risk contributors early in the design 
process to preclude significant design changes during subsequent design 
efforts when such changes would have a severe adverse effect on system 
development. The relative risk index can be used to identify the dominant 
risk contributors without the need to determine absolute mission risk. 


The safety requirements listed in this study are primarily for a payload 
launched on the Space Shuttle. The unmanned mission safety requirements are 
the result of an initial cursory evaluation of SP-100 mission safety 
requirements and their applicability to potential SEI missions. The 
additional manned mission requirements were identified as part of this study. 

A thorough evaluation of the applicability of the unmanned mission safety 
requirements is needed to eliminate unnecessary requirements and to identify 
missing requirements. The launch vehicles proposed for the SEI missions are 
primarily expendable boosters. A study is required to ensure that the safety 
requirements for these expendable launch vehicles have been identified. 
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2.0 INTRODUCTION 


In the 90-day Space Exploration Initiative (SEI) study conducted by the 
National Aeronautics and Space Administration, power requirements and duty 
cycles for the planetary (lunar and martian) surface systems were estimated. 

A major conclusion of the study was the requirement for a nuclear reactor to 
supply electrical power to planetary surface systems with duty cycles having 
power demands during the lunar night. 

The object of this task order was to report the results of a study to 
investigate the safety issues associated with using a reactor as a source of 
electrical energy to power planetary surface systems identified during the 90- 
day study. This safety investigation defined mission profiles for nuclear 
reactor applications on the moon and Mars. Accident scenarios and 
environments were postulated. A qualitative safety assessment was performed. 

The most advanced space nuclear reactor design program is the SP-100 
program. The SP-100 reactor power system is being designed for generic 
missions in orbit around the earth and not specifically for missions on the 
surfaces of the moon and Mars. This study evaluated and resolved safety 
issues associated with the missions to the moon and Mars. The effects of 
planet surface application on the SP-100 desigli were noted. 

This report begins with a summary of the results of the study in Chapter 
2. This is foTTowed by a dTscussion of nuclear reactor appTTcatTons on the 
moon and Mars in Chapter 3. Basic mission sequences for flighty to the moon 
and Mars are then presented. Mission phases for operation on planetary 
surfaces and final disposal are also included. Next, the lunar and martian 
environments are described since these environments have safety implications. 

The current safety requirements for the SP-100 reactor system are 
presented in Chapter 4. This includes a list of safety requirements 
documents. 

Chapter 5 presents the defined mission profiles for the lunar and 
martian flights. The basis for these flights are the results of the 90-day 

study and feedback during Task Order reviews. Further details ha ve been added 

to allow a reasonable identification of potential accidents. Separate mission 
profiles have been defined for flights to the moon and Mars. The mission 
profiles covered activities from fuel fabrication to disposal. 

Potential accident scenarios and environments were identified for the 
lunar and martian mission profiles. These scenarios and environments are 
presented in Chapter 6. From the accident scenarios and environments, safety 
issues were identified. The safety issues are presented in Chapter 7. 

Safety issue resolution approaches are presented in Chapter 8. The 
depth of the safety analysis and resolution approaches is commensurate with 
the level of detail found in the results of the 90-day study. This chapter 
contains a brief summary of SP-100 program resolution approaches. It also 
contains the results of an assessment of the lunar and martian raission 
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elements not previously examined. 

Chapter 9 presents a brief list of recommendations to enhance 
of a nuclear reactor throughout the various phases of the lunar and martian 

missions. 
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3.0 NUCLEAR REACTOR APPLICATION ON NARS AND THE NOON 


The potential need for a nuclear reactor power system was identified in 
the 90-day study to provide the electrical power required as the outposts' 
power demands evolve into the hundreds of kilowatts. Also, a nuclear reactor 
power system has a mass advantage over photovoltaic systems on the moon 
because the length of the lunar night makes dedicated energy storage for 
photovoltaic systems heavy. The reactor system could be part of a centralized 
power production system wherein transmission cables would connect the reactor 
with the other major areas of the lunar and martian outposts. The reactor 
power system could also be a stand-alone unit dedicated to a specific 
application. The location of the unit and the means to transmit the power to 
the application will be dependent upon the amount of human interaction at the 
site of the application. 

The safe use of a nuclear reactor as an electrical power source on the 
moon and Mars requires the system designer to consider all phases of the 
mission, not just that part of the mission when the reactor is operating on 
the surface of the planet. The design must be analyzed for potential harmful 
effects to the general population, the environment of the earth, and mission 
personnel during all mission phases. 

As a starting point in this analysis, the safety analyst must be 
knowledgeable of the circumstances to which his system will be subject during 
the mission phases. This chapter begins with a discussion of basic mission 
profiles defined for this study. The basic missions to the moon and Mars have 
been defined assuming continuous occupation of the surface of the planet and 
reuse of transportation vehicles. The discussion includes potential 
perturbations from these basic mission profiles to provide a comprehensive 
safety assessment. Alternate mission sequences include direct launch to the 
moon and Mars, transport vehicle assembly in low earth orbit away from the 
space station, reactor emplacement on the surface of the planet or buried, 
intermittent outpost occupancy, and disposal by surface or away- from- surface 
strategies (detailed mission profiles are presented in Chapter 4). This is 
followed by a section on the lunar and martian environment as they pertain to 
safety. 

The flight plans for missions to the moon and Mars are currently under 
evaluation. To provide a basis for a safety evaluation of the use of a 
nuclear reactor as a power source for surface systems on the moon and Mars, 
basic mission sequences have been assumed. The basis for the basic mission 
sequences defined for this study was Reference Approach A (Ref. III-l). 
Reference Approach A was chosen because it appeared to contain the greatest 
level of activity, as opposed to Reference E, and thus would provide a 
comprehensive treatment. Variations of these basic mission sequences have 
been defined in this study to include the latest proposals by NASA and other 
potential alternatives. The details of the mission sequences are in Chapter 
4. 


During the exploration of the moon, flight plans will change with lunar 
outpost evolution. As the lunar outpost evolves to decrease dependency oi 
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earth, flight plans will include reuse of systems, e.g., the lunar transfer 
vehicle and the lunar excursion vehicle (LEV). Prior to the establishment of 
the lunar excursion vehicle servicer on the moon, the lunar transfer and 
excursion vehicles will be flown in an expendable mode. With the addition of 
the LO 2 plant on the moon, the transfer and excursion vehicles will be flown 
in a reusable mode. 

Flights to Mars will follow much the same pattern as the lunar flights. 
The one significant exception is the first manned flight. For a chemical 
propulsion system, both transfer and excursion vehicles will be flown in an 
expendable mode with the transfer vehicle aerobrake, if used, jettisoned at 
Mars. The flight crew will transfer to an Apollo-like reentry vehicle for 
direct reentry to earth. The transfer vehicle will either be lost in space or 
burnup upon reentry to earth. If the propulsion system is nuclear-based, the 
returning astronauts may enter into an earth orbit on all missions including 
the first. This first manned flight with a chemical propulsion system is 
mentioned for the sake of completeness. The long flight times to Mars 
involved with chemical propulsion will likely preclude the use of chemical- 
based rocket engines. In any case, there is always the possibility of using 
an Apollo-like reentry capsule on a Mars mission regardless of the propulsion 
system; throwaway nuclear rocket engines may be used and return to earth may 
be by direct reentry in an Apollo-like capsule without the use of a propulsion 
system for orbit insertion. 

3.1 LUNAR OUTPOST 

The typical delivery of cargo and crew to the lunar outpost. Figure 3-1, 
will begin with launches of lunar payload, crew, and propellants from earth to 
Space Station Freedom. At Space Station Freedom, these items are loaded onto 
the lunar transfer vehicle. The lunar transfer vehicle subsequently 
rendezvous with the lunar excursion vehicle in lunar orbit. Payload, crew, 
and the necessary propellants are transferred to the lunar excursion vehicle. 
The lunar excursion vehicle subsequently descends to the lunar surface. The 
lunar transfer vehicle returns to Space Station Freedom. Servicing and 
maintenance of the lunar transfer vehicle will be performed at Space Station 
Freedom while the same will be performed for the lunar excursion vehicle at 
the lunar outpost. Alternatives to this basic mission sequence are direct 
launch to the moon, e.g., Apollo flights; launch to low earth orbit for 
assembly of the lunar transport vehicles; direct descent to the lunar surface; 
and the use of expendable vehicles. 

There will be both piloted and cargo-only flights as identified in Ref. 
II I -1. A limited exploration program may have astronauts on every flight. A 
piloted flight will deliver cargo and a four man crew to the lunar surface 
with subsequent return of the crew and a limited amount of cargo. A cargo 
flight will deliver only cargo with the lunar transfer vehicle left on the 
surface or returned empty. Both flights will use common lunar transfer and 
excursion vehicles. Direct launch and descent missions may use what would be 
defined as a single vehicle with stages. A piloted flight will require the 
addition of a crew module while the cargo flights will use only some type of 
cargo pallet. Cargo flights where the lunar transfer and excursion vehicles 
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Figure 3-1 Lunar Mission Profile (Ref. III-2). 



are expended will provide the maximum transfer of mass to the lunar surface. 
Piloted flights will likely use an earth-to-moon trajectory which will allow a 
safe return to the earth should the propulsion system fail to allow proper 
insertion into an orbit about the moon. The trajectory would allow the 
astronauts to fly behind the moon and then return to the earth with little or 
no thrusting. The assumption has been made that an Apollo-like reentry would 
be required at the earth. The disposition of the rest of the cargo and space 
vehicle is unknown; the cargo and vehicle would either fly past the earth, 
orbit, or enter the atmosphere. 

Heavy-lift launch vehicles will be utilized to deliver the lunar 
payloads, vehicles, and propellants to Space Station Freedom in the basic 
mission sequence. These same vehicles, or variations, would be used to 
deliver material to low earth orbit or to launch directly to the moon. The 
launch vehicles will be either a derivative of the Shuttle or a version of the 
Advanced Launch System, Figure 3-2. Both launch vehicles will have a payload 
shroud large enough to allow lunar transfer and excursion vehicles to be 
launched virtually intact during the early expendable flights. One launch 
will deliver the lunar transfer and excursion vehicles and two subsequent 
launches will deliver the necessary lunar transfer and excursion vehicle 
propellants. Early piloted flights will have the lunar transfer and excursion 
vehicles. Figure 3-3, packaged to be launched on a single heavy-lift vehicle. 
The package will contain a fully fueled lunar transfer vehicle core 
propulsion/avionics module, the aerobrake central core and peripheral 
segments, the lunar transfer vehicle crew module, the lunar excursion vehicle 
crew cab, and a partially fueled lunar excursion vehicle. The Shuttle will 
deliver crew and cargo. All early flights will expend the lunar transfer and 
excursion vehicles. Direct launch and descent flights will have launch 
configurations similar to early expendable flights but with fully fueled 
vehicles. 

At Space Station Freedom, the eight peripheral aerobrake segments will 
be attached to the central core of the lunar transfer vehicle and the 
combination examined for structural integrity. The aerobrake will be 
refurbished and verified after each flight up to a total of five flights. 
Similar work is assumed performed at a low earth staging orbit not at Space 
Station Freedom. 

Two heavy-lift vehicles will deliver to Space Station Freedom the 
expendable propellant tanks for the lunar transfer vehicle. Two of the 
propellant tanks will be jettisoned after trans-lunar orbit injection and the 
remaining two will be jettisoned in low lunar orbit. The same sequence of 
propellant tank delivery and empty tank ejection was assumed when a low earth 
staging orbit was used in place of operations at Space Station Freedom. A 
direct launch mission was assumed to also jettison empty fuel tanks. 

When the lunar excursion vehicle is reused, cryogenic propellants and 
consumables will be transferred from the lunar transfer vehicle. LO 2 mined on 
the lunar surface will be used by the lunar excursion vehicle when available; 
LHj will always originate from earth. 
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An automated rendezvous and docking system is provided in the lunar 
transfer vehicle for rendezvous with a lunar excursion vehicle in lunar orbit 
and with Space Station Freedom upon return from the moon. This system will 
have manual override provisions for piloted flights. 

The reused lunar excursion vehicle, Figure 3-4, will be based on the 
lunar surface or stored in lunar orbit. On the lunar surface it will be 
covered by a thermal tent and out-gassing will be controlled by the lunar 
excursion vehicle servicer stationed at the launch area. The legs and landing 
pads will be provided with height control for landing on unimproved areas. 

The excursion vehicle engines will provide single engine-out capability. They 
will be fueled with LHj and LOj. 

An expended lunar excursion vehicle was assumed to be left in lunar 

orbit. 


3.2 MARTIAN OUTPOST 

Delivery of crew and cargo to Mars in the basic mission sequence is very 
similar to delivery to the moon. The flight profile is shown in Figure 3-5. 
Payload, crew, and propellants are launched from earth to Space Station 
Freedom where transfer and excursion vehicles are assembled, inspected, and 
fueled. The assembled vehicles are then inserted into a transfer orbit to 
Mars. At Mars the vehicles separate and use aerobrakes for Mars capture. In 
orbit, the vehicles rendezvous and the crew transfers from the transfer 
vehicle to the excursion vehicle. Descent to the martian surface is 
accomplished by aerobrake and descent engines. The aerobrake is jettisoned 
during reentry. Once on the surface, the crew lives in a habitat which has 
been delivered as cargo either on the same excursion vehicle or a previous 
one. Ascent from the surface will be accomplished using an upper stage of the 
excursion vehicle. This part of the excursion vehicle will rendezvous with 
the orbiting transfer vehicle to transfer crew and cargo for the return trip 
to earth. Capture at earth will be accomplished by transfer vehicle 
aerobrake. The transfer vehicle will then rendezvous with Space Station 
Freedom for refurbishment. 

Flight maneuvers include injection into the trans-Mars orbit, aerobrake 
capture at Mars, and descent and landing at Mars. The return portion of the 
mission involves ascent from the martian surface, rendezvous in martian orbit 
with the transfer vehicle, injection into the trans-earth orbit, and capture 
at earth. The two captures will be accomplished by aerobraking. 
Aeromaneuvering of the excursion vehicle will allow cross-range landing 
capability for an out-of-plane (orbital) landing site. The early piloted 
expeditionary missions will use an Apollo-like reentry capsule for the crew to 
reenter directly to the surface of the earth. The nominal entry velocities at 
Mars and earth are 8.5 kilometers per second and 12.5 kilometers per second, 
respectively. An aborted mission is expected to see a larger earth reentry 
velocity. 
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Figure 3-4 Lunar Excursion Vehicle (Ref. III-l). 
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Figure 3-5 Mars Mission Profile (Ref. III-2). 



Alternatives to the basic mission sequence maneuvers include direct 
launch and descent to Mars with a single transfer vehicle from earth to Mars 
and back. Transfer vehicle assembly may be performed in low earth orbit in 
place of Space Station Freedom. Also, chemical transfer vehicle engines may 
be replaced with nuclear propulsion engines. A potential nuclear electric 
driven trans-Mars orbit trajectory can be seen in Figure 3-6. A nuclear 
thermal driven transfer vehicle would follow a trajectory similar to that of 
the basic mission sequence. The assumption was made that all nuclear 
propulsion driven transfer vehicles would not use an aerobrake for insertion 
Into orbits around the earth and Mars. 

As with the lunar flights, there would be piloted and cargo flights to 
Mars. A limited exploration program may involve only flights with cargo and 
astronauts. Cargo flights will be composed of excursion vehicles only. There 
will be no orbiting transfer vehicle. The excursion vehicles will separate at 
Mars and be captured by means of the aerobrakes, if used. For the first cargo 
flight, the excursion vehicles may descend to the martian surface and remain 
there. For all flights, the lower stage of the excursion vehicle will be 
expended. It appears that the upper portion of excursion vehicles will be 
operated in an expendable mode. All piloted flights will likely use 
trajectories that allow the crew to fly by Mars and return to earth should the 
mission be aborted due to propulsion failure with little or no thrusting. The 
possibility exists that similar flyby trajectories may be used for cargo 
flights to recover the cargo and space vehicle. It is not clear how the 
returning space craft would be captured by the earth^s gravity to orbit about 
the earth since a failed propulsion system may also preclude use of a 
propulsion system for orbit insertion about the earth. The possibility is 
included for completeness. If the decision is made to not recover the space 
vehicle and cargo from an aborted mission, there will be no nuclear reactor 
returning to the earth and thus, no safety Issue. 

Launch vehicles for the exploration of Mars will be a larger class of 
heavy-lift vehicles with roughly double the capacity of the lunar heavy-lift 
vehicles. Conceptual designs are shown in Figure 3-7. An obvious observation 
is that this class of launch vehicles will have payloads located above the 
solid rocket boosters. In a launch explosion, fragments from the solid rocket 
boosters should not be a safety concern. The possibility that the Space 
Shuttle may be used to lift cargo to Space Station Freedom, if it is used as a 
staging area, should not be ignored. The Space Shuttle was mentioned (Ref. 
III-l) as a means to lift cargo for the lunar missions and the potential for 
the same strategy for martian flights may exist. 

The transfer vehicle consists of a core vehicle and an expendable 
injection stage fueled by LHj and LOj, Figure 3-8. Subsequent to injection 
into the trans-Mars orbit at Space Station Freedom, the injection stage is 
jettisoned. The injection stage consists of five core propulsion systems of 
engines and propellant tanks with the potential for three additional strap-on 
propellant tanks. The strap-on propellant tanks will be the same 
configuration as the core system tanks. 
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Figure 3-6 Mars Mission Profile for Nuclear Electric Propulsion (Ref. III-2) 
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Figure 3-8 Mars Transportation System (Ref. III-l). 
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The large aerobrake on the transfer vehicle will be used for capture at 
Mars and the earth on missions subsequent to the early expeditionary missions 
which will use an Apollo-like reentry vehicle upon return to earth. Aerobrake 
lift will provide trajectory control and drag will slow the vehicle. The 
aerobrake heat shield will be designed to survive high-velocity earth reentry 
and capture. Transfer vehicle propulsion for return to earth from Mars will 
be provided by four engines of the design developed for the lunar transfer 
vehicle. 

The excursion vehicle, Figures 3-8 and 3-9, consists of two rocket 
stages and an aerobrake. The aerobrake is identical in shape and size to the 
transfer vehicle aerobrake. It will provide lift to maneuver from parking 
orbit to a landing site on the surface of Mars. It will also contain a heat 
shield for capture at Mars. No mention was made whether this heat shield 
would survive earth reentry. Landing legs are deployed and the descent 
engines are ignited after the aerobrake is jettisoned. The five descent 
engines of the lower stage and the three ascent engines of the upper stage 
will provide single engine-out capability. They will be fueled with LHj and 

LOj. 


Nuclear propulsion concepts for the transport vehicle are shown in 
Figures 3-10 and 3-11. The nuclear thermal engine would burn for a very short 
time in the vicinity of the earth and Mars. Hydrogen would be the propellant. 
Nuclear electric propulsion was assumed to require continual operation of the 
engine during the trans-Mars and trans-earth trajectories. Another assumption 
made was that crew rendezvous was necessary outside the van Allen radiation 
belts. The nuclear electric propulsion system would require weeks to traverse 
the radiation belts from low earth orbit. The nuclear electric powered 
transport vehicle would hays to use a low earth orbit for cargo and propellant 
transfer. 
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Figure 3-9 Mars Excursion Vehicle (Ref. III-l). 
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Figure 3-10 Mars Transport Vehicle Using Nuclear 
III-6). 
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Figure 3-11 Mars Transport Vehicle Using Nuclear Electric Propulsion 
(Ref. III-5). 


4.0 SAFETY REQUIREMENTS 


The following is a list of safety requirements compiled from the SP-100 
space nuclear reactor program. 

1. The maximum individual radiation dose to the public shall be 
0.5 rem/yr. The limit for operations personnel is 5 rem/yr. 

2. Subcriticality shall be positively maintained assuming any 
credible single failure or initiating event during all 
normal assembly, transportation, handling, prelaunch, launch 
ascent, deployment, orbit acquisition, end of life, and 
permanent storage orbit operations. 

3. The reactor shall have effective intrinsic negative 
reactivity feedback for positive power and temperature 
excursions. 

4. The reactor shall be designed to ensure with high confidence 
the permanent subcriticality of the reactor at the final 
shutdown. This final shutdown shall activate automatically, 
shall be irreversible, and shall not be initiated or 
rendered inoperable by any credible single failure or 
initiating event. 

5. The reactor shall remain subcritical under the following 
conditions: 

a) Core internal structure and vessel generally intact 
with all exterior components removed and with all 
possible combinations of soil and water filling and 
surrounding the core. 

b) Core internal structure and vessel generally intact 
with compaction along the pitch lines of the pins to 
produce pin-to-pin contact, all exterior components 
removed, and all possible combinations of soil and 
water filling and surrounding the core. 

c) Core internal structure and vessel generally intact 
with compaction along the pitch line of the pins to 
produce pin-to-pin contact, the normal exterior 
components and reflectors compressed around the core; 
the exterior absorber material, if any, in its normal 
shutdown position; and the core containing it original 
coolant or any possible combinations of soil and 
water. 

d) Core internal structure and vessel generally intact 
with compaction along the pitch line of the pins to 
produce pin-to-pin contact, all exterior components 
removed, and aluminum surrounding the core containing 
its original coolant. 

e) Core internal structure and vessel generally intact 
with all exterior componenti- removed and the vessel 
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exposed to a solid propellant fire. 

6. The unirradiated nuclear fuel shall pose no significant 
environmental hazard. 

7. Engineered safety features shall be designed and built to 
conform to STS-1 (QA Assurance) and STS-2 (Reliability 
Engineering) . 

8. The coolability of the reactor shall be assured with high 
confidence for all credible accident conditions to maintain 
the structural integrity and thereby the predictability of 
the desired reactor behavior during final shutdown. 

9. The reactor protection system shall 

a) have two independent systems not subject to common 
cause failure to reduce reactivity to a subcritical 
state, 

b) have the capability to sense conditions requiring 
shutdown, 

c) have an automatic shutdown capability, 

d) be independent of the reactor control system except 
for the neutron absorber (core-internal) and reflector 
elements and their actuators, 

e) have fault detection sensors with capability for test 
during reactor operation, 

f) have a fault detection system not subject to single 
point failure, 

g) have a fault detection system not subject to common 
cause failures with systems and conditions upon which 
it is called to activate in case of their failure, 

h) be failsafe, and 

i) have adequate shutdown margin. 

10. The reactor designer shall conduct a safety test and 
analysis program to assess reactor response to postulated 
credible accidents. 

11. The reactor control system shall 

a) require a positive coded signal for reactor startup, 

b) be capable of controlling power escalation to full 
power, 

c) be capable of reducing power to a full shutdown mode, 

d) be capable of controlling power and temperature 
excursions, and 

e) be capable of operation in a directed positive 
shutdown mode. 

12. Operating conditions requiring automatic shutdown are 
failure of the reactor control system, exceeding nuclear 
fuel design temperature limits, and failure of the reactor 
control and/or safety systems conmunications system. 
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13. Test and inspection programs for design and manufacture 
shall include a plan to verify the design concept, to show 
conformance to safety specifications, and to provide data 
for quality control of manufacturing or engineered safety 
features. 

14. No planned reentry. 

15. The reactor shall survive an inadvertent reentry in a 
subcritical configuration with internal neutron shutdown 
absorbers intact in a contiguous reactor core. 

16. Following intact inadvertent reentry, the reactor shall be 
designed to produce effective burial of radioactive 
materials present upon impact on water, soil, or pavement- 
grade concrete. 

17. The reactor control and safety systems communications system 
shall be composed of two independent subsystems with the 
capability to monitor and/or control the status of the 
reactor, the reactor control system, the power conversion 
system, and all safety systems. 

18. Independent electrical power shall be provided to the 
reactor control and protection systems and their 
communications system. These systems must operate 
independent of the reactor operating mode or power 
conversion system operation. Independent electrical power 
must be provided to safety related systems for a minimum of 
24 hours following failure of the power conversion system. 

19. Quantities of toxic materials are to minimized. 

20. The power system shall be designed to prevent a significant 
release and dispersal of toxic materials during normal 
operations in all mission phases with the potential for 
human interaction with the system and when the system is 
exposed to environments associated with credible failures 
and accidents during these operations. Possible releases to 
the atmosphere will be held within on-site and off-site 
tolerance levels established by the appropriate regulatory 
authority. 

21. The instrumentation system shall provide, through reactor 
control, protection and safety systems communication system, 
signals to allow continuous determination of 1) the reactor 
power level and rate of change; 2) the fuel temperature; 3) 
the positions of the control and reflector elements; and 4) 
the status of the reactor control system, the reactor 
protection system, the power conversion system, and the 
Independent electrical power source. 
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22. Individual risk due to a mission shall be subject to ALARA 
considering economic, technical and social factors. 

23. The risk to the general population shall be subject to ALARA 
considering economic, technical and social factors. 

24. Design margins must reflect consideration of normal mission 
operation system failure rates, accident probabilities and 
environments. 

25. Safety Technical Specifications must be prepared for 
approval by the Department of Energy. 

26. The reactor design shall enhance the ability to detect, 
locate, and recover Special Nuclear Material. 

27. The power system shall comply with NSTS 1700. 7B and KHB 
1700.7 safety requirements for STS payloads. 

28. NHB 8071.1, JSC 18327, and AFSD SD-YV-0068 shall apply to 
the design for fracture control of payloads launched on the 
Space Shuttle. (The appropriate requirements for other 
launch vehicles will apply for launch with those vehicles). 

29. NSTS 14046 shall apply for structural design verification. 

30. MSFC-SPEC-522 shall apply for control of stress corrosion 
cracking. 

31. The design shall be in accordance with JPL 601-4 (Aerospace 
System Safety Guidelines). 

32. MIL-STD-1576 shall apply for electro-explosive devices. 

33. Fission products shall be contained within fuel pins through 
permanent disposal. 

34. Local fault propagation in reactor internals and core 
assemblies shall be minimized due to flow blockages or flow 
restrictions. 

35. Fuel design specifications shall not be exceeded. 

36. Potential meteoroid and space debris damage shall be 
assessed per NASA SP-8042. 

37. The power system shall be designed with reactivity limits to 
assure the effects of postulated reactivity accidents can 
neither result in damage to the coolant boundary nor disturb 
the core, support structures, or other reactor internals. 

38. The maximum programmable rate of change of reactor power 
over the full power range shall be 1.5% of iul'i rated power 
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per minute. 

39. Safety rod insertion probability shall be greater than 
0.999. 

40. Minimum voltage limits shall be set on critical loads bus 
external to the reactor controller. 

41. The power system shall be failsafe upon loss of power from 
the launch vehicle. 

42. The reactor monitoring systems shall include alarm 
indications signalling the presence of abnormal conditions 
while inside the STS payload bay and during pre-launch 
operations. 

43. Beryllium structures shall comply with NASA- JSC Letter ES2- 
47-87. 

44. NSTS defined Category 1 Hazards shall be two fault tolerant. 

45. NSTS defined Category 2 Hazards shall be single fault 
tolerant. 

46. Software shall be subject to NSTS fault tolerance 
requirements. 

47. Normal power system functions shall not cause ignition of an 
assumed flammable payload bay atmosphere during reentry, 
landing and post-landing operations. (This is a requirement 
for launch in the NSTS). 

48. Any mechanical interface with the launch vehicle shall be 
capable of withstanding launch loads, abort loads (NSTS) and 
orbit injection loads (NSTS). 

49. Moving mechanical assemblies shall be designed per DoD-A- 
83577. 

50. Structural verification shall be performed as per AFSD SD- 
YV-0067. 

51. Contamination of launch vehicle materials by refractory 
materials used in the nuclear power system shall not cause 
launch vehicle material loss of ductility or loss of 
material thickness by erosion. 

52. Power system manufacturing processes shall meet safety and 
environmental regulations. 

53. Batteries for the power system shall be designed in 
accordance with NSTS 1700.7 and JSC 20793. 
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54. Pressure vessels are to be compatible with room temperature 
assembly and integration. 

55. Composite structures shall comply with NSTS 1700.7. 

56. The test connector to permit ground monitoring of reactor 
instrument and control system status shall be independent of 
the telemetry data stream and must be accessible in the 
stowed launch configuration. 

57. There shall be no planned release of hazardous materials 
during NSTS operations. 

58. The reactor power system design must comply with NHB 
8060. IB. 

59. Pre-launch repairs shall be performed in accordance with KHB 
1700.7 and MIL-STD-1472. 

60. Lightning protection shall be provided per JSC 07636. 

61. Power system wiring shall tolerate 200% of expected current 
load without exceeding insulation temperature rating. 

62. Electronics performing safety functions must be capable of 
withstanding SVS- 11501 environments and comply with DoD-E- 
8983. 

63. System design shall provide protection of personnel per MIL- 
STD-1472. 

64. Maximum EMR fields while the power system is inside the NSTS 
cargo bay shall comply with JSC 07700, Volume XIV, 

Attachment 1. 

65. EVA required activity for the power system shall comply with 
JSC 10615. 

66. Power system elements shall be designed or marked to prevent 
connection in a reverse mode. 

67. Power system drawings shall include critical item 
designations per SP-100 CIL instructions. 

68. All reactor operations shall be supervised by qualified 
personnel trained for reactor operation. 

69. All main power returns shall be carried within a supply line 
as a twisted, shielded pair. 

70. The design shall have an overload protection limit of 55 
amperes. 


34 


It should be noted that the above requirements are primarily for launch 
on the NSTS. Launch with a vehicle other than the NSTS will require the 
system designer and safety function to meet comparable requirements for that 
launch vehicle. 

Additional safety requirements would include that the reactor is not 
operated in a power production mode until emplaced on the moon or Mars (Ref. 
III-l) and the maximum individual radiation dose from lunar and martian 
operations be dependent upon the overall mission risk and total dose from 
natural and man-made radiation sources (Refs. lV-1, IV-2, IV-3, and IV-4). 

The National Council on Radiation Protection has proposed an individual dose 
guideline of 50 rem/yr from all radiation sources (Ref. IV-1). Power cable 
design and placement at the outposts shall prevent astronaut contact with the 
cables or prevent astronaut electrocution if contact is made. Also, power 
reductions and reactor scram shall not result in the loss of critical life 
support systems which would result in the loss of life prior to the restart of 
the reactor power system or the use of supplementary power sources. 

The requirements from the SP-100 program are for an unmanned mission. 

For manned missions, the requirements listed in the preceding paragraph are 
required in addition to those for unmanned missions. The unmanned mission 
requirements are the result of an initial cursory evaluation of SP-100 mission 
safety requirements and their applicability to potential SEI missions. The 
additional manned mission requirements were identified in this study. A 
thorough evaluation of the applicability of the above unmanned mission safety 
requirements is needed to eliminate unnecessary requirements and to identify 
missing requirements. The requirements listed in this chapter are primarily 
for a payload on the Space Shuttle. The launch vehicles proposed for the SEI 
missions are primarily expendable boosters. A study is required to ensure 
that the safety requirements for these expendable launch vehicles have been 
identified. Finally, as launch vehicle designs and mission definitions 
mature, the safety requirements presented have to be reassessed for 
applicability and completeness. 

A list of safety related documents is presented in Table 4-1. 
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Table 4-1 

Safety Related Documents 
(Sheet 1 of 3) 


Document Number 


Title 


APR 127-4 

Investigating and Reporting US Air Porce 
Mishaps 

APR 127-12 

Air Porce Occupational Safety, Pi re 
Protection and Health (APOSH) Program 

APR 160-132 

Control of Radiological Health Hazards 

APR 161-8 

Control and Recording Procedures - 
Occupational Exposure to Ionizing 
Radiation 

APSD SD-YV-0067 

Structural Design Verification 
Requirements for DoD Shuttle Payloads 

APSD SD-YV-0068 

Practure Control Requirements for DoD 
Shuttle Payloads 

DoD-A-83577 

Assemblies, Moving Mechanical, for Space 
Vehicles, General Specifications 

DoD-E-8983 

Electronic Equipment, Aerospace, Extended 
Space Environment, General Specification 

DOE Orders on Nuclear Safety 

Various titles (e.g., 5480.6 - Safety of 
Department of Energy-Owned Nuclear 
Reactors) 

ICD 2-19001 

Shuttle Orbiter/Cargo Standard Interfaces 

JPL 601-4 

Jet Propulsion Laboratory Plight Projects 
Safety Guidelines and Requirements 

JSC 07636 

(lightning protection) 

JSC 10615 

EVA Description and Design Criteria 

JSC 18327 

Practure Control Guidelines for STS 
Payloads 

JSC 20793 

Manned Space Vehicle, Battery Safety 
Handbook 
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Table 4-1 

Safety Related Documents 
(Sheet 2 of 3) 


Document Number 


Title 


JSC Letter ES2-47-87 

KHB 1700.7 

KHB 1860. lA 
MSFC-SPEC-522 

MIL-STD-1472 

MIL-STD-1522 

MIL-STD-1576 

NASA SP-8013 
NASA SP-8042 
NCRP Report No. 98 


(Johnson Space Center letter on beryllium 
fracture control) 

Space Transportation System Payload Ground 
Safety Handbook 

KSC Ionizing Radiation Protection Program 

Design Criteria for Controlling Stress 
Corrosion Cracking 

Human Engineering Design Criteria for 
Military Systems, Equipment, and 
Facilities 

Standard General Requirements for Safe 
Design and Operation of Pressurized 
Missile and Space Systems 

Electroexplosive Subsystem Safety 
Requirements and Test Methods for Space 
Systems 

Meteoroid Environment Model - 1969 (Near 
earth to lunar Surface) 

Meteoroid Damage Assessment, NASA Space 
Vehicle Design Criteria (Structures) 

Guidance on Radiation Received in Space 
Activities 


NHB 8060. IB 


NHB 8071.1 
NSTS 14046 


Flammability, Odor, and Offgassing 
Requirements and Test Procedures for 
Materials in Environments That Support 
Combustion 

Fracture Control Requirements for Payloads 
Using the National Space Transportation 
System (NSTS) 

Payload Verification Requirements 
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Table 4-1 

Safety Related Documents 
(Sheet 3 of 3) 

Document Number 

Title 

NSTS 1700.7b 

Safety Policy and Requirements for 
Payloads Using the Space Transportation 
System 

OSNP-1 

Nuclear Safety Criteria and Specifications 
for Space Nuclear Reactors 

SP-100 Program Safety 
Technical Specifications 

Reference Flight System Specification 
(SE002) 

10CFR20 

Code of Federal Regulations, Title 10, 
Part 20 - Standards for Protection 
Against Radiation 



5.0 HISSION PROFILES 


The process of identifying safety issues for the use of a nuclear power 
system on the moon or Mars is a multistep process. To be comprehensive, the 
safety analyst must become familiar with all aspects of the potential 
application. Subsequently, potential hazards must be identified. The analyst 
must then assess the response of the nuclear power system to these hazards. 
From this response assessment, the analyst can estimate potential radiation 
and toxic material sources that would be hazardous to humans. Using models 
which simulate the transport of these hazards to humans, the analyst can 
estimate the risk to the general population and to the environment of the 
mission. 

As an initial step in this process, this study has identified potential 
hazardous environments for the nuclear power system which could results in 
hazards to humans and the environment. No attempt has been made to eliminate 
hazards, and thus, safety issues, by a quantitative assessment of the 
probability of an event or the response of the nuclear power system and the 
resulting hazardous source. The next step in the safety process would be the 
determination of the probabilities of events leading to hazardous environments 
for the nuclear power source and the characterization of these environments. 

In order to identify potential hazardous environments for the nuclear 
power system, the application (nuclear power source of electricity on the moon 
and Mars) has been defined as allowed by available information. The process 
of defining the application required descriptions of the potential mission 
profiles. With these descriptions, including all reasonable possibilities, 
potential hazardous environments for the nuclear power system could be 
identified. Hazardous environments for humans were also identified as part of 
this process. Chapter 5 presents descriptions of the potential mission 
profiles and Chapter 6 presents potential hazardous environments for the 
nuclear power system and the astronauts based upon the mission profiles 
described in this chapter. In this manner, safety issues can be identified in 
a comprehensive manner. As stated previously, the next step beyond this study 
would be to assign event probabilities and characterize environments to allow 
a quantitative assessment as to the relative risk involved. Obviously, events 
with very low probability and safe reactor response would be eliminated as 
safety issues. 

Mission profiles for lunar and martian missions have been defined. A 
basic mission profile has been assumed for each mission. The basic lunar 
mission is based upon operation of transfer and excursion vehicles in a 
reusable mode. The martian basic mission profile describes operations with 
chemical rocket engines and aerobrakes and with an expendable excursion 
vehicle. Potential alternate activities in a mission phase are also 
discussed. The basic mission profiles with alternate mission phase activities 
were selected to minimize the number of mission profiles examined but allow a 
comprehensive assessment of safety issues. 
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5.1 LUNAR OUTPOST 


The top-level definition of the mission profile for a lunar flight has 
been defined as shown in Table 5-1. This closely follows lunar mission 


Table 5-1 

Lunar Hisslon Profile 


Mission 


Phase 

Mission Activity 

1 

Pre-launch 

2 

Launch to low earth orbit 

3 

Low earth orbit space vehicle assembly 

4 

Trans-lunar orbit insertion 

5 

Lunar orbit insertion 

6 

Rendezvous with lunar excursion vehicle 

7 

Descent to lunar surface 

8 

Empl acement 

9 

Operation and maintenance 

10 

Disposal 


sequences defined by the National Aeronautics and Space Administration in 
References III-l and V-1 with the exception of phase 3. The exception was 
final assembly of the lunar mission space vehicle in low earth orbit but not 
at the space station. Figure 3-1 contains a drawing of a typical lunar flight 
profile as defined in References III-l and V-1. This mission profile replaced 
the mission phases dock with space station Freedom and space station Freedom 
operations with low earth orbit space vehicle assembly operations. These 
replaced mission phases are included in the analysis as options since the 
possibility exists the space station mission in the future may include 
operating as a rendezvous platform for the Space Exploration Initiative. The 
following text in this section will present a more detailed description of the 
above phases in the lunar mission profile. 

Pre-launch 

The detailed mission profile for the pre-launch phase of the lunar 
mission is shown below in Table 5-2- It was assumed that control of the fuel 
was limited to the Department of Energy until received at the launch site. A 
similar procedure was followed for the Radioisotope Thermoelectric Generators 
for Galileo where the Department of Energy fabricated the fuel, assembled the 
generators, tested them, and provided transportation between Department of 
Energy sites and Kennedy Space Center. The Department of Energy delivered the 
generators to an appropriate storage facility at the launch site. Intraplant 
transfer, when it was required, was arranged by the launch site controlling 
authority. The Department of Energy would manufacture the fuel pellets. 
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Table 5-2 

Pre-launch Hission Phase Activities 


Sequence 

Mission Phase Activity 

1 

Fabrication and assembly of reactor 

2 

Zero power testing of reactor 

3 

Package and ship reactor to launch 
site 

4 

Mate reactor with balance of power 
system, if required 

5 

Inspect and test 

6 

Store power system 

7 

Integrate power system with launch 
vehicle 

8 

Transport launch vehicle to pad 
and inspect 

9 

Load cryogenic propellants 

10 

Activate telemetry 

11 

Ignite liquid propellant engines 


insert the pellets into the fuel rods, and insert the rods into the reactor 
vessel, load the lithium, and seal the vessel. The unfueled reactor vessel 
would have been shipped to a Department of Energy site by the power system 
suppliGr for insertion of the fuel rods and lithium. The Department of Energy 
would then transport the reactor to the launch site where it would become the 
responsibility of the user agency, the launch agency and the power system 
supplier as authorized by the launch site controlling authority. At the 
launch site, the reactor would be inspected and placed into a storage 
facility. The activities required at the launch site would be dependent upon 
the reactor configuration as shipped to the launch site. The configuration of 
the reactor at this time would depend upon zero power testing requirements, 
transportation limitations, and launch site assembly limitations. This study 
did not investigate possible configurations. The most likely reactor 
configuration delivered to the launch site would be a complete nuclear power 
system ready to be mated to a payload or launch vehicle as required. Handling 
of the reactor at the launch site was assumed limited to system checkout tests 
to determine any damage due to transportation from the Department of Energy to 
the launch site and any checkout due to final power system assembly perfomed 
at the launch site, e.g., dry run mating checks, physically and electrically 
mating the reactor with any balance of the power system not attached, 
component checkout after mating, and final loading into the launch vehicle 
payload bay. Checkout of the primary heat transfer loop would likely be 
performed at a Department of Energy facility where the majority, if not all, 
of the power system was assembled. It is doubtful that a significant amount 
of power system assembly would be performed at the launch site. At all other 
times, the reactor would be in the launch site storage facility. Ground 
handling at the launch site will require the use of transport systems and lift 
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cranes. Access control would be provided through physical barriers and 
procedures. 

Launch to Low Earth Orbit 

Boost to low earth orbit will be accomplished by either of three launch 
vehicles, the current space shuttle, a heavy-lift derivative of the space 
shuttle, or an advanced launch systems (ALS) vehicle. Since the launch 
sequences are slightly different between the space shuttle types and the ALS, 
two mission profiles have been defined for this phase. The profiles for this 
phase are shown in Tables 5-3 and 5-4 for the ALS vehicle and the space 
shuttle-type vehicle, respectively. This phase of the mission is the same as 
missions previously studied during the Galileo/Ulysses (Ref. V-2), DIPS (Ref. 
V-3), and SP-100 programs (Refs. V-4 and V-5) and will be discussed only 
briefly since safety assessments have been performed as part of these 
programs. The phase begins with either liftoff of a liquid-propellant-fueled- 
only launch vehicle or the ignition of the solid rocket motors and ends with 
either the separation of the payload from the ALS vehicle or the opening of 
the shuttle- type vehicle payload bay doors. These launch and ascent sequences 
have been extensively defined for the Galileo and SP-100 programs and the same 
sequences are assumed here. 

An upper stage was assumed. Initial crew flights may involve partially 
fueled excursion vehicles. For later flights when the excursion vehicles 

would be reused, this will not be the case. It was assumed that any launch of 

an excursion vehicle in the reusable mode would be without propellants. Cargo 
flights will launch the propellants separately from the excursion and transfer 
vehicles. Launch configurations for shuttle-derivative vehicles will require 
the reactor to be located at an elevation occupied by a portion of the solid 
rocket boosters, see Figure 3-2. The launch configuration for an ALS boost to 
low earth orbit will have the reactor above the boosters. 

The usual convention is to break this mission phase into additional 
phases. For a shuttle launch, this means the following phases: launch (prior 

to liftoff), stage 1 ascent (from liftoff until the boosters are jettisoned), 
and stage 2 ascent (after booster jettison until Orbital Maneuvering System 
burn number 1) (Ref. V-2). For an unmanned launch vehicle, this results in 

the mission phases launch (from liftoff to booster jettison) and ascent 

(liquid stage burns including any upper stage) (Ref. V-3). For purposes of 
this study, these phases have been lumped into one with the intention of 
minimizing the repetition of extensively published results of past safety 
studies (Refs. V-2, V-3, V-4, and V-5). Results pertinent to this study will 
be summarized and included for completeness. 

Direct launch to the moon would involve transport vehicle(s) fueled at 
launch. The anticipated launch vehicle is either a shuttle-derivative or ALS 
booster. The events for this mission phase would be the same as those listed 
in Tables 5-3 and 5-4. 
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Table 5-3 

Advanced Launch System Launch Phase Activities 


Sequence 

Mission Phase Activities 

1 

Liftoff 

2 

Clear tower 

3 

Roll maneuver 

4 

Pitchover maneuver 

5 

Staging sequence command 

6 

Stage I ignition 

7 

Booster separation 

8 

Payload fairing unlatch and jettison 

9 

Staging sequence command 

10 

Stage I separation 

11 

Stage II ignition 

12 

Staging sequence command 

13 

Stage II retrofire and separation 


Table 5-4 

Shuttle-derivative Vehicle Launch Phase Activities 


Sequence 

Mission Phase Activities 

1 

Solid rocket booster ignition 

2 

Liftoff 

3 

Clear tower 

4 

Roll maneuver 

5 

Pitchover maneuver 

6 

Staging sequence command 

7 

Solid rocket booster separation 

8 

Main engine cutoff 

9 

External tank jettison 

10 

Orbital Maneuvering System first burn 

11 

Coast 

12 

Orbital Maneuvering System second burn 

13 

Payload bay doors open 


Low Earth Orbit Space Vehicle Assembly 

The mission profile for this phase of the lunar mission depends upon the 
launch vehicle. It was assumed that the space shuttle or a derivative would 
be capable of delivering the payload to the assembly point without assistance. 
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A space tug or an upper stage was assumed to be required to deliver the ALS 
payload. The resulting profiles are shown below in Tables 5-5 and 5-6 for the 
ALS and the shuttle-derivative, respectively. The payload has been assumed 
separated from the ALS. 


Table 5-5 

Mission Phase Low Earth Orbit Space Vehicle 
Assembly Activities (ALS) 


Sequence 

Mission Phase Activities 

1 

Space tug dock with payload, if used 

2 

Space tug/upper stage maneuver and 
first burn 

3 

Space tug/upper stage final burn 

4 

Release from space tug/upper stage 

5 

Inspection for damage 

6 

Lunar transfer vehicle and lunar 
excursion vehicle assembly, if required 

7 

Lunar transfer vehicle and lunar 
excursion vehicle fueling, if required 
Attach cargo to lunar transfer vehicle 

8 


Table 5-6 

Mission Phase Low Earth Orbit Space Vehicle 
Assembly Activities (Shuttle-Derivative) 


Sequence Mission Phase Activities 


1 Space Shuttle Orbital Maneuvering 
System burns 

2 Remove payload from shuttle bay 

3 Inspection for damage 

4 Lunar transfer vehicle and lunar 

excursion vehicle assembly, if required 

5 Lunar transfer vehicle and lunar 

excursion vehicle fueling, if required 

6 Attach cargo to lunar transfer vehicle 


All propulsion is assumed by means of cryogenic propellants with two 
burns requWed. Low thrust engines will be used for maneuvering. Either a 
space tug (e.g.. Orbital Maneuvering Vehicle) will dock with the ALS payload 


44 


and deliver It to the assembly point or an upper stage will be used. The 
payload in the shuttle bay will be removed at the assembly point. The space 
tug will be remotely controlled. The orbit lifetime for the payload will be 
short for purposes of safety assessment, i.e., a failure resulting in the 
payload stranded in orbit will lead to reentry. 

The post-launch inspection of the power system will likely be performed 
in parallel with the many other lunar transfer vehicle assembly and 
maintenance operations. The activities in this phase are those which begin 
after the cargo has been separated from the launch vehicle and end with the 
completion of the assembly of the lunar transfer vehicle with lunar cargo. 
Major activities include the assembly/refurbishment of the aerobrake, 
maintenance of the propulsion system, and attachment of the fuel tanks and 
cargo. Propellants are LO 2 and LHj. It was assumed the fuel tanks would be 
attached to the lunar transfer vehicle prior to the cargo based upon Figure 3- 
4. The sequence of events may mirror those on the ground where fueling is 
last. Flights to the moon with the lunar excursion vehicle in the reusable 
mode would require the cargo be attached to the lunar transfer vehicle and not 
the excursion vehicle. There is the possibility early in the initiative that 
cargo may be launched attached to the lunar excursion vehicle. 

Assembly of the transportation vehicles may occur at Space Station 
Freedom should the mission of the space station be expanded in the future. 

The mission profiles may be as shown in Tables 5-7 and 5-8 for an ALS and a 
shuttle-derivative launch vehicle, respectively. Assembly at the space 


Table 5-7 

Mission Phase Dock with Space Station After 
ALS Launch Activities (option) 


Sequence 

Mission Phase Activities 

1 

Space tug dock with payload 

2 

Space tug maneuver and first burn 

3 

Space tug final burn 

4 

Dock with Space Station Freedom 

5 

Disassemble payload and attach to 
space station as required 

6 

Inspection for damage 

7 

Lunar transfer vehicle and lunar 
excursion vehicle assembly, if required 

8 

Lunar transfer vehicle and lunar 
excursion vehicle fueling, if required 

9 

Detach cargo from space station, if 
required 

10 

Attach cargo to lunar transfer vehicle 
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Table 5-8 

Mission Phase Dock with Space Station after 
Shuttle Launch Activities (option) 


Sequence Mission Phase Activities 


1 Space Shuttle Orbital Maneuvering 
System burns 

2 Shuttle dock with Space Station Freedom 

3 Remove payload from shuttle bay 

4 Attach payload to Space Station Freedom 

5 Inspection for damage 

6 Lunar transfer vehicle and lunar 

excursion vehicle assembly, if required 

7 Lunar transfer vehicle and lunar 

excursion vehicle fueling. If required 

8 Detach cargo from space station, if 
required 

9 Attach cargo to lunar transfer vehicle 


station would result in essentially the same activities as for space vehicle 
assembly in low earth orbit with the exception of the detachment of the cargo 
from the space station. The potential exists for a direct launch to the moon 
was defined as shown in Table 5-9. The use of a single transportation vehicle 
would not involve the transfer of cargo at either the low earth orbit assembly 
point or the space station. 


Table 5-9 

Mission Phase Direct Launch to Moon (option) 


Sequence Mission Phase Activities 


1 Separate from launch vehicle 

2 Maneuver for trans-lunar orbit 

insertion 

3 Lunar transport vehicle burn 

4 Jettison empty propellant tanks 

5 Coast to lunar orbit insertion 
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Trans-Lunar Orbit Insertion 

The activities during this mission phase are shown in Table 5-10. The 


Table 5-10 

Trans-Lunar Orbit Insertion From Low Earth Orbit 
Space Vehicle Assembly Mission Phase Activities 


Sequence 

Mission Phase Activities 

1 

Maneuver for orbit insertion 

2 

Transfer vehicle engine burn 

3 

Empty propellant tanks jettisoned 


activities begin with the initial maneuvering prior to the thrusting required 
for insertion into the trans-lunar orbit. After the burn, the emptied lunar 
transfer vehicle propellant tanks are jettisoned. Flight is by an automated 
control sequence. Propellants are LOj and LHj. 

If the space station assembly option is exercised, this mission phase 
would begin with a space tug maneuvering to dock with the assembled lunar 
transfer vehicle, with or without the lunar excursion vehicle, see Table 5-11. 

Table 5-11 

Trans -Lunar Orbit Insertion From Space Station 
Freedom Mission Phase Activities (option) 


Sequence 

Mission Phase Activities 

1 

Separation from Space Station Freedom 

2 

Dock with space tug 

3 

Space tug maneuver and first burn 

4 

Space tug final burn 

5 

Release from space tug 

6 

Maneuver for orbit insertion 

7 

Transfer vehicle engine burn 

8 

Empty propellant tanks jettisoned 


The space tug docks with the lunar transfer vehicle, thrusts to separate the 
lunar transfer vehicle from the space station in conjunction with the release 
of the transfer vehicle by the space station, and subsequently maneuvers to 
place the transfer vehicle in an orbital conHguration for insertion into the 
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trans-lunar orbit. The space tug undocks and returns to the space station 
prior to the lunar transfer vehicle engine burn for trans-lunar orbit 
insertion and empty propellant tank jettison. 

Lunar Orbit Insertion 

After coasting in the trans-lunar orbit, the lunar transfer vehicle 
would maneuver to provide the proper thrust vector for lunar orbit insertion. 
The LHj and LOj fueled engines would fire until the lunar transfer vehicle is 
in lunar orbit. The empty lunar transfer vehicle propellant tanks would then 
be jettisoned. As with the tanks jettisoned in the previous phase, the 
trajectories of the expelled tanks roust be defined to assure they will not 
become hazards to the reactor. The activity sequence is shown in Table 5-12. 
An automated control system will be used with astronaut override. 


Table 5-12 

Lunar Orbit Insertion Nission Phase Activities 


Sequence 

Mission Phase Activities 

1 

Maneuver for orbit insertion 

2 

Lunar transfer vehicle engine burn 

3 

Empty propellant tanks jettisoned 


Rendezvous with Lunar Excursion Vehicle 

In this mission phase, the lunar excursion vehicle will approach the 
lunar transfer vehicle for docking. The transfer of cargo will be provided by 
an automated system on the lunar excursion vehicle or the lunar transfer 
vehicle. Cargo will be unlocked from the transfer vehicle, pulled or pushed 
to the excursion vehicle, and locked into place on the excursion vehicle. A 
typical cargo transfer system may be as shown in Figure 5-1. Initial flights 
will not require this sequence since the cargo will already be attached to the 
excursion vehicle launched with the transfer vehicle and mated at Space 
Station Freedom or in low earth orbit. LHj will then be transferred from the 
transfer vehicle to the excursion vehicle. LO 2 is assumed provided from 
mining operations on the lunar surface. Until lunar mining of LO 2 is 
producing the necessary quantities, early flights will require the lunar 
transfer vehicle provide LOj for the excursion vehicle. Also, prior to the 
permanent habitation of the lunar base and the decision to reuse excursion 
vehicles, flights will arrive with the transfer and excursion vehicles mated 
and the excursion vehicle fueled. At this time, the excursion and transfer 
vehicles will be flown in an expendable mode. Subsequent to fueling, the 
excursion vehicle will undock from the transfer vehicle and maneuver away from 
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the transfer vehicle for the descent to the lunar surface. This sequence of 
events are shown in Table 5-13. An automated control system was assumed. 


Table 5-13 

Rendezvous with Lunar Excursion Vehicle Mission Phase 

Activities 


Sequence 

Mission Phase Activities 

1 

Lunar transfer vehicle maneuver for 
docking with excursion vehicle, if 
required 

2 

Lunar transfer vehicle dock with lunar 
excursion vehicle, if required 

3 

Transfer cargo and LH 2 /LO 2 , if required 

4 

Separation of lunar transfer and 
excursion vehicles 


Descent to Lunar Surface 

Descent to the lunar surface will be accomplished using the lunar 
excursion vehicle LOj and LHj engines with automated control. The engines 
will burn until touchdown. The burn sequence will involve two burns like any 
other orbit transfer. The sequence is shown in Table 5-14. The landing area 
will not be prepared in the early flights. Sequence 5 represents any 
maneuvering just prior to touchdown. A mission profile for direct descent to 
the lunar surface was defined as shown in Table 5-15. A single vehicle would 
not Involve the separation of the LTV and the LEV. 

Emol acement 

The reactor will be either be placed in an excavation, shielded by a 
berm, or left on the surface, or some combination of these options. For 
purposes of this study, a reference sequence for emplacement by placement in 
an excavation or berm was defined as shown in Table 5-16. This sequence of 
events represents operation subsequent to the arrival of the lunar excursion 
vehicle payload unloader (LEVPU) on the lunar surface and with the presence of 
astronauts. After inspection and connection of telemetry, the cargo will be 
secured by the LEVPU and detached from the lunar excursion vehicle. The LEVPU 
will then lift the cargo from the lunar excursion vehicle and transport it to 
a site near the launch pad for temporary storage. The reactor will be stored 
temporarily as required. The reactor will be inspected prior to transport to 
the excavation site. At the excavation site the reactor will be lowered into 
the excavation. If an upper shield is required to cover the excavation, it 
will be attached at this time. The power conversion system will be assembled 
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Table 5-14 

Descent to Lunar Surface Mission Phase Activities 
(Post-LTV/LEV Rendezvous) 


Sequence 

Mission Phase Activities 


1 

Maneuver for descent burn 


2 

Ignite lunar excursion vehicle 
(two burns) 

engines 

3 

Descent maneuvering 


4 

Touchdown on lunar surface 


5 

Lunar excursion vehicle engine 

cutoff 


Descent to 

Table 5-15 

Lunar Surface Mission Phase Activities 
(direct descent) 

Sequence 

Mission Phase Activities 

1 

Separation of lunar transfer and excursion 
vehicles as required 

2 

Maneuver for descent burn 

3 

Ignite lunar excursion vehicle descent 
engines (both burns) 

4 

Descent maneuvering 

5 

Touchdown on lunar surface 

6 

Lunar excursion vehicle engine cutoff 


as required. The activities required for assembly were not defined in detail 
due to the absence of a final system design. The reactor assembly was assumed 
to require connection to the power conversion subsystem, connection of the 
reactor instrumentation and control circuitry, and connection of the auxiliary 
power supply. These activities would be supplemented with inspections and 
subsystem and component testing. Testing at this time was assumed to be 
limited to devices that are driven by electrical power and do not involve a 
critical reactor configuration. System tests would be performed subsequent to 
startup following power system assembly. A radiation survey would be 
performed prior to continuous full power operation to verify analytical 
estimates of the radiation field emanating from the reactor used for shielding 
design. 
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Table 5-16 

Emplacement in an Excavation and/or Behind a Berm 
Mission Phase Activities 


Sequence 

Mission Phase Activities 

1 

Inspection for damage 

2 

Connect telemetry to surface transport 
vehicle (LEVPU, other?) 

3 

Offload from LEV 

4 

Transport to temporary storage, if 
required 

5 

Inspection damage 

6 

Transport to excavation 

7 

Lower into excavation, configure and 
inspect for damage and contamination 

8 

Connect to power conversion subsystem 
and inspect 

9 

Connect reactor instrumentation and 
control as required and inspect 

10 

Connect to startup power source, if 
required 

11 

Startup 

12 

Test 

13 

Radiation survey 


Emplacement on the surface of the moon was assumed to involve the 
activities shown in Table 5-17. This list of activities would be different 
should the nuclear power system land on the moon at the location where it will 
be operated without removal from a lunar lander. In this case, there will 
likely be a visual inspection for damage followed by any assembly required and 
connection to the power grid, or directly to the application. The commands 
for deployment and startup would then be issued. Startup tests and a 
radiation survey would then be performed prior to full power operation. The 
number of activities will be reduced if the system is self-contained and only 
requires connection to the power grid followed by deploy and startup commands. 

Surface emplacement will require distance or lunar soil to attenuate the 
radiation from the reactor to meet the radiation dose requirements of Chapter 
4. Placement of the power system inside a crater or excavation will allow the 
reactor to be placed closer to the habitat area. Lunar soil will act as a 
shield. Surface placement with line-of-site to the habitat area will require 
the power system to have an integral shield or be located sufficiently far 
from the habitat to meet radiation dose limitations. Operation of an 
unshielded reactor is not a viable option since the large habitat-to-reactor 
distances required would severely limit astronaut activities and the 
additional power cable length and mass required would be prohibitive. 
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Table 5-17 

Emplacement on Surface Hission Phase Activities 


Sequence 

Mission Phase Activities 

1 

Inspection for damage 

2 

Connect telemetry to surface transport 
vehicle, as required (LEVPU, other?) 
Offload from LEV, as required 

3 

4 

Transport to application site, if 
required 

5 

Inspection for damage 

6 

Connect to power conversion subsystem 
and inspect, if required 

7 

Connect reactor instrumentation and 
control as required and inspect, as 
required 

8 

Connect to startup power system, if 
required 

9 

Erect radiation zone barrier, if 
required 

10 

Startup 

11 

Test 

12 

Radiation survey 


Operation and Maintenance 

The operation and maintenance phase of the lunar mission profile begins 
after the initial power-up to full power. Mission phase activities are shown 
in Table 5-18. The sequence may be repeated many times prior to the 
conclusion of this mission phase. 

Astronaut interaction with the reactor would be limited to maintenance 
and control supervision if an active load following strategy is adopted. 
Astronauts would be involved in the maintenance and repair of non-nuclear 
equipment as allowed by the design and working conditions. Maintenance and 
repair may involve astronauts in the power production area, in the vicinity of 
the reactor. Whether the reactor must be shutdown for repairs to the power 
generation system will depend upon the shielding design and the nature of the 
failure. Access to restricted areas near the reactor will have to be 
precluded by some physical or administrative means, e.g., fence, warning 
beacon, and permissible travel lanes. 
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Table 5-18 

Operation and Maintenance Phase Activities 


Sequence 

Mission Phase Activities 

1 

Operate at constant power or active 
load following 

2 

Shutdown 

3 

Maintenance 

4 

Astronaut activities at site 

5 

Startup 

6 

Test 

7 

Power up 


Disposal 

Disposal alternatives for the reactor at end-of-life will depend upon 
detailed evaluations of disposal strategies. Three strategies have been 
defined; 1) disposal in place on the moon, 2) disposal away from the power 
production area, and 3) insertion into a parabolic orbit. The mission phase 
profiles are shown in Tables 5-19 through 5-21. 


All alternatives begin with the final shutdown of the reactor. After 
shutdown, auxiliary power is supplied to the power system to monitor the 
status of the reactor while astronauts perform any necessary activities 
associated with disconnection of the bus to the reactor control system to 
permanently shutdown the reactor. This auxiliary power will also be used 
while astronauts disconnect the power conversion subsystem and radiators from 
the reactor if so desired. For disposal away from the power production area, 
the used reactor would remain in place for fission product decay if this is 
necessary. After a sufficient peri od of time to reduce rad i a tion to safe 
levels, the reactor would be encased in a shielded cask for transport away 
from the power production site. The reactor w ould be hauled by an 
unpressurized manned/ robot ic rover bn ^transport cart to t^e^Hisposa l site or 
the launch pad. These ope ratio ns, plus handli ng at t he dispose s it e and the 
launch pad, were assumed to require mi nTihal astronaut fnvoTvement^r Any; j; 1 
disposal by burial^ may require a decay lieat remqvaT^s^^ 
can lose decay heat sufficiently ih-pTace prior to burl aT . Bur may l)e 
delayed until years after final shutdown if desired. 
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Table 5-19 

Disposal in Place Storage Phase Activities 


Sequence Mission Phase Activities 


1 Shutdown 

2 Provide post- shutdown power 

3 Disconnect reactor control system power 

4 Disconnect reactor from power conversion 
system and radiators if desired 

5 Restrict access to site 


Table 5-20 

Disposal on Moon Away From Power Production Area 
Mission Phase Activities 


Sequence Mission Phase Activities 


1 Shutdown 

2 Provide post-shutdown power for reactor 

3 Disconnect reactor control system power 

4 Disconnect reactor from power conversion 
system and radiators if allowable 

5 Allow radioactivity to decay, if required 

6 Remove reactor from excavation as 
required 

7 Transport reactor to disposal site 

8 Bury reactor or leave on surface 

9 Restrict access to disposal site 
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Table 5-21 

Disposal by Parabolic Trajectory Phase Activities 


Sequence 

Mission Phase Activities 

1 

Shutdown 

2 

Provide post -shutdown power for reactor 

3 

Disconnect reactor control system power 

4 

Disconnect reactor from power conversion 
system and radiators if allowable 

5 

Allow radioactivity to decay 

6 

Remove reactor from excavation as 
required 

7 

Transport reactor to launch site 

8 

Mate with booster if necessary 

9 

Load reactor onto excursion vehicle 

10 

Launch to orbit 

11 

Offload reactor and poster from 
excursion vehicle (if mated on moon) 

12 

Mate reactor with booster if not 
already 

13 

Maneuver for parabolic orbit insertion 

14 

Booster engine burn 


5.2 MARTIAN OUTPOST 

The top-level definition of the mission profile for a martian flight has 
been defined as shown in Table 5-22. This closely follows martian mission 
sequences defined by the National Aeronautics and Space Administration in 
References III-l and V-1. Figure 3-5 contains a drawing of a typical martian 
flight profile, Figure 3-6 for nuclear electric propulsion. The following 
text in this section will present a more detailed description of the above 
phases in the martian mission profile. 

Pre-launch 

For the purposes of this study, the profile for this phase of the 
martian mission has been assumed to be the same as the lunar Pre-launch 
mission phase. 

Launch to Low Earth Orbit 

For the purposes of this study, the profile for this phase of the 
martian mission has been assumed to be the same as the corresponding lunar 
mission phase with the exceptions that 1) the nuclear reactor power system 
will be launched on expendable launch vehicles with the martian transfer and 
excursion vehicles and 2) the expendable launch vehicle may use solid rocket 
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Table 5-22 

Hartian Mission Profile 


Mission 

Phase 

Mission Activity 

1 

Pre- launch 

2 

Launch to low earth orbit 

3 

Low earth orbit space vehicle 


assembly operations 

4 

Trans-Mars orbit insertion 

5 

Mars orbit insertion 

6 

MTV and MEV rendezvous 

7 

Descent to surface of Mars 

8 

Empl acement 

9 

Operation and maintenance 

10 

Disposal 


boosters. Figure 3-7 shows the martian mission launch vehicle options. 

Low Earth Orbit Space Vehicle Assembly 

For the purposes of this study, the profile for this phase of the 
martian mission has been assumed to be the same as the lunar Low Earth Orbit 
Space Vehicle Assembly mission phase for the case where an expendable launch 
vehicle is used. There is the possibility that the nuclear reactor power 
system will be launched attached to the martian excursion vehicle in a 
configuration suitable for the flight to Mars. 

Aerobrake(s), if used, will be assembled on the excursion vehicle(s) and 
the excursion vehicle(s) will be fueled as well as the transfer vehicle. 
Reference III-l is not clear as to the use of martian excursion vehicles in a 
reusable mode. The lunar mission profile was assumed to apply. Regardless, 
propellants for the martian excursion vehicle(s) will likely originate from 
the earth or the moon, the assumption taken here. 

Trans-Mars Orbit Insertion 

For the purposes of this study, the profile for this phase of the 
martian mission was assumed to be the same as the lunar mission Trans-Lunar 
Orbit Insertion mission phase. Figures 3-8 and 3-9 illustrate the proposed 
martian transfer and excursion vehicles with Figure 3-8 showing an expected 
flight configuration. The exceptions are: 1) the possibility of nuclear 

electric propulsion may eliminate LOj, 2) all vehicles are fully fueled, 3) 
the excursion vehicle(s) are always present, and 4) the flight path for 
nuclear electric propulsion may contain a flyby of the moon to gain energy in 
a gravity assist maneuver, see Figure 3-6. 
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Mars Orbit Insertion and HTV/MEV Rendezvous 


The Mars Orbit Insertion flight profile is significantly different from 
the Lunar Orbit Insertion profile due to the separation of the transfer and 
excursion vehicles and the use of aerobrakes to shed energy. The activities 
for this mission phase are shown in Table 5-23. Prior to orbit insertion by 
aerobrake, the transfer and excursion vehicles are separated from the 
configuration as shown in Figure 3-8. The vehicles separately shed energy by 
an automated system until achieving the proper orbit. Subsequently, the 
vehicles rendezvous with the astronauts leaving the crew module of the 
transfer vehicle for the excursion vehicle crew module. Descent to the 
martian surface is then preceded by separation of the transfer and excursion 
vehicles. No cargo transfer from the transfer vehicle to the excursion 


Table 5-23 

Mars Orbit Insertion Phase Activities 


Sequence 

Mission Phase Activities 

1 

Separation of transfer and excursion 
vehicles 

2 

Maneuver for aerobraking 

3 

Aerobrake into orbit 

4 

Maneuver for rendezvous 

5 

Transfer and excursion vehicle dock 

6 

Crew transfer to excursion vehicle 

7 

Separation of transfer and excursion 
vehicles 


vehicle was assumed, i.e., the cargo was assumed attached to the excursion 
vehicle at the vehicle assembly point in low earth orbit, or Space Station 
Freedom. This phase would be unnecessary for cargo missions since the 
excursion vehicles could descend directly to the surface of Mars. 

The use of nuclear propulsion would greatly affect this phase of the 
mission. Orbit insertion would be accomplished by rocket engine burn. A 
short burn near Mars was assumed for a nuclear thermal propulsion system. A 
nuclear electric propulsion system was assumed to have been operated 
constantly since insertion into the trans-Mars orbit except for vehicle 
rotation at mid-course. If constant thrusting is not the case, the electric 
thrusters will, however, be ignited far from Mars in any case. The 
significance of this point is the long lead time available for corrective 
action after failure of the nuclear electric propulsion system. 
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Descent to Surface of Hars 

Descent to the surface of Mars is significantly different than descent 
to the lunar surface. This phase of the martian flight begins with a maneuver 
for descent and ends with engine cutoff after landing. The profile is shown 
in Table 5-24. The aerobrake is used initially to shed orbital energy but is 


Table 5-24 

Descent to Surface of Mars Mission Phase Activities 


Sequence 

Mission Phase Activities 

1 

Maneuver for descent 

2 

Aerobrake 

3 

Jettison aerobrake 

4 

Descent engine ignition 

5 

Touchdown 

6 

Descent engine cutoff 


jettisoned prior to ignition of the descent engine(s). The conditions under 
which the aerobrake is jettisoned are unknown at this time. A chemical or 
nuclear propulsion descent system may be an option. Shielding requirements 
may preclude the use of a nuclear system for manned flight. A nuclear descent 
stage would require a 4/r shield to allow astronauts mobility on the surface. 
Descent was assumed to be controlled by an automated system. 

Emol acement 

For the purposes of this study, the profile for this phase of the 
martian mission has been assumed to be the same as the corresponding lunar 
mission phase. 


Operation and Maintenance 

For the purposes of this study, the profile for this phase of the 
martian mission has been assumed to be the same as the corresponding lunar 
mission phase. 

Disposal 

For the purposes of this study, the profile for this phase of the 
martian mission has been assumed to be the same as the corresponding lunar 
mission phase. 
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6.0 ACCIDENT SCENARIOS 


Potential accidents for each phase of the lunar and martian mission 
profiles defined in Chapter 5 have been identified. Accident descriptions and 
characterization were qualitative only. There was no data available due to 
the conceptual nature of the launch vehicles and the lack of a specific 
nuclear reactor power system design for the moon and Mars. Nuclear reactor 
designs for the moon and Mars were assumed to be basically similar to SP-100. 

Simplified event trees have been constructed for each mission phase as 
an aid to postulating reactor response to accidents. The accident scenarios 
and simplified event trees have been defined and constructed without regard to 
the safety design features implemented in the SP-IOO program to preclude 
overlooking a new safety issue resulting from the differences in SP-100 
missions and the SEI missions. The effects of the SP-100 program safety 
features will be assessed in chapter 8. Multiple use of a part of a tree does 
not mean consequences of the same magnitude nor that the events represented by 
the same descriptor are exactly identical. For example, the shipping 
accidents on route to reactor assembly and on route to the testing facility in 
Figure 6-1 represent events with individual fuel rods and an assembled 
reactor. A ruptured shipping container would potentially lead to either fuel 
rods in a critical configuration or damage to the reactor to result in a 
critical configuration. A critical configuration was assumed possible only 
after extensive damage to the shipping container, I.e., rupture of the 
container. A critical configuration was assumed to result in an excursion and 
the release of fission products. The trees were constructed in an abbreviated 
form with sufficient information to identify potential hazards. The accidents 
and simplified event trees were defined to be comprehensive to preclude design 
and procedure change suggestions that would potentially solve one safety issue 
and re-introduce another without notice. 

A small discussion is presented at this point to place in perspective 
the following accident scenario descriptions. These descriptions are part of 
a radiological risk assessment process required for launch approval of a 
nuclear power source. Mission risk is assessed by probabilistic risk analysis 
techniques. The end product of the analyses is a quantitative assessment of 
the potential for human exposure to radiation levels above natural background 
as a result of the use of nuclear power sources in a space application. The 
analysis begins with the determination of mission events which have the 
potential to expose humans to radiation. Occurrence probabilities are then 
determined. Next, the consequences of these events are defined in terms of 
human exposure to radiation at various levels. Finally, the nuclear power 
system is evaluated on the basis of these analyses. 

Accident scenarios are defined as part of the determination of mission 
events which have the potential to expose humans to radiation. For a 
particular mission, mission phases are defined to allow the systematic 
evaluation of normal procedures and mission events to determine the results of 
an abnormal event. This is followed by an analysis of aborts or failure modes 
for each mission phase to identify potential malfunctions, single or multiple, 
which can potentially affect the nuclear power source. For each of the 
malfunctions, subsequent nuclear power source environments and associated 
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occurrence probabilities are defined. These environinfnts are then sequenced 
in an event tree. This is followed by an assessment of the response of the 
nuclear power system to each of the adverse environments, e.g., launch pad 
explosion overpressure and fragment field. If the analysis indicates a 
potential for the uncontrolled exposure of humans to radiation, a radiation 
source term is defined. The state and location of the radiation source term 
is considered. When the source terms with associated probabilities have been 
defined, the human consequences of the source terms are analyzed by 
characterizing environmental dispersion and human uptake. The combination of 
the source term probabilities and the potential human uptake is then used to 
describe the mission risk. 

The simplified event trees described in this chapter do not include the 
occurrence probabilities mentioned above. They are not detailed in that 
events of similar type but not necessarily the same consequence or probability 
have been combined. Nuclear system responses have been defined based upon 
similar accidents evaluated in previous safety analyses. The responses are 
the result of a cursory evaluation. No attempt has been made to estimate 
occurrence probabilities. The intent was to use the event trees to identify 
safety issues and not to discount any of them. Events which have catastrophic 
consequences for the nuclear power system may have extremely small occurrence 
probabilities making the event an insignificant contributor to mission risk. 

A new safety issue identified in this study should not impact design until 
occurrence probabilities, system response, and dispersion in the environment 
have been determined. 

6.1 LUNAR OUTPOST 

Prelaunch 

Potential accidents for this mission phase are listed in Table 6-1. As 
noted in chapter 5, this mission phase ends prior to the ignition of the 
liquid engines. Also listed are the resulting accident environments. The 
accidents and environments subsequent to the receipt of the reactor at the 
launch site have been thoroughly examined in the Galileo/Ulysses (Ref. V-2), 
DIPS (Ref. V-3) and SP-100 (Refs. V-4 and V-5) programs. A few accidents 
prior to transportation of the reactor to the launch site have been included, 
e.g., zero power test control failure and beryllium release during 
fabrication. 

For this mission phase, the corresponding simplified event tree can be 
found in Figure 6-1. It was assumed that a damaged reactor has the potential 
for an excursion due to the resulting configuration. At a minimum, a damaged 
reactor was assumed to release fuel without an excursion required due to fuel 
pin damage. A more detailed safety assessment is required to define degrees 
of damage. All impacts were assumed to have the potential for damage to the 
reactor. A reactor control failure during zero power testing was assumed to 
result in a runaway reaction leading to fuel pin failure. A decay heat 
removal failure during zero power testing was assumed to lead to excessive 
clad temperatures and fuel pin failure. An inadvertent reactor startup due to 
a spurious or inadvertent signal was assumed possible without a method to 
preclude such an occurrence. An inadvertent reactor startup was assumed to 
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Figure 6-1 Simplified Event Tree for the Lunar Mission Phase Prelaunch 
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Figure 6-1 Simplified Event Tree for the Lunar Mission Phase Prelaunch (cont.) 










64 


Figure 6-1 Simplified Event Tree for the Lunar Mission Phase Prelaunch (cont.) 












Table 6-1 

Lunar Mission Prelaunch Phase Accidents and Resulting Nuclear 

Reactor Environments 


Accident 

Reactor Environment 

Drop reactor or fuel rod 

Impact 

Traffic accident 

Impact 

Water sutxnersion 

Zero power test control failure 

Excursion 

Inadvertent reactor startup 

N/A 

Coll ision 

Impact 

Fire in storage facility 

Fire 

LOj/LHj tank failure 

Overpressure 

Shrapnel 

Fire 

Aft compartment explosion 
(Shuttle-derivative) 

Overpressure 

Shrapnel 

Fire 

Failure of a liquid propellant 
rocket motor leading to an 
explosion 

Overpressure 

Shrapnel 

Fire 

Beryllium release during machining 

N/A 


provide a radiation field harmful to nearby personnel. 

Launch to Low Earth Orbit 

The accidents and resulting environments for this mission phase have 
been extensively studied during the Galileo/Ulysses (Ref. V-2), DIPS (Ref. V- 
3) and SP-100 (Refs. V-4 and V-5) programs for both the space shuttle and 
expendable launch vehicles (Titan). Accidents will be initiated from either a 
failure of the launch vehicle or the nuclear reactor structure to resist 
launch loads inside the payload bay. The nuclear reactor will be subject to 
impact, fire, overpressure, projectiles, and reentry. The potential exists 
for inadvertent reactor startup. 

Simplified event trees for the launch vehicle options shuttle-derivative 
and Advanced Launch System (ALS) are shown in Figures 6-2 and 6-3, 
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Figure 6-2 Simplified Event Tree for the Lunar Mission Phase Launch to Low Earth Orbit (Shuttle 
Derivative) 
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Figure 6-2 Simplified Event Tree for the Lunar Hisslon Phase Launch to Low Earth Orbit (Shuttle 
Derivative) (cont.) 










Figure 6-3 Simplified Event Tree for the Lunar Mission Phase Launch to Low Earth Orbit (Advanced Launch 
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Figure 6-3 Sliipl If led Event Tree for the Lunar Mission Phase Launch to Low Earth Orbit (Advanced Launch 
Systen) (cont.) 





respectively. For clarification, the descriptor "Fire" represents the 
condition where a reactor may reach a critical configuration due to the 
thermal environment produced by burning fuel on the ground near the launch 
pad. No subsequent events take place. A fireball was assumed to not 
significantly damage the reactor in flight, i.e., the "No Fire" event. The 
condition of the reactor on the ground for the "Fire" event was not defined. 

In any case, there would either be fuel, and possibly fission products, 
released or not. Characterization of events in this mission phase was 
minimized since the SP-100 program has studied this phase in great detail. 
Sufficient detail has been included to determine that the current missions to 
the moon and Mars will not introduce new safety issues. 

Low Earth Orbit Space Vehicle Assembly 

Potential accidents are listed in Table 6-2. This mission phase has 
been divided into two sub-phases: 1) insertion into low earth orbit from 

launch and 2) assembly operations. Table 6-2 covers the first sub-phase. Low 
earth orbit insertion was assumed to require the shuttle Orbit Maneuvering 
System or an upper stage of the launch vehicle. Even though a space tug has 
been included in the analysis, a space tug will not likely be used since it 
would require a base for support which would be missing. The possibility does 
exist that an expendable space tug may be used and discarded after assembly of 
the transport system. Space tug failures would include an explosion of the 
propulsion system, engines and tanks, and guidance errors leading to orbits 
which will decay. Similar accidents are possible for cargo launched on a 
space shuttle-type vehicle where the Orbital Maneuvering System fails by 
explosion or guidance error. Any time during this phase, an inadvertent 
reactor startup command could be issued. 


Table 6-2 

Lunar Mission Lqw^ Earth Orbit Space Vehicle Assembly Phase 
(LEO Insertion) Accidents and Resulting Reactor Environments 


Accident 

Reactor Environment 

Space tug/last stage of 
launch vehicle failure 

Explosion 

Projectiles 

Reentry 

Orbital Maneuvering 
System failure 

Reentry 

Assembly failure 

Reentry 

Collision 

Impact 

Reentry 

I.iac'vertent reactor startup 

Inadequate heat sink 
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Failures of the space tug (e.g., Orbital Maneuvering Vehicle), upper 
stage, and the Space Shuttle Orbital Maneuvering System may result in 
projectiles and reentry, see Figures 6-4, 6-5 and 6-6. An explosion may 
result in reentry because of the relatively low altitude of the orbit. A 
guidance failure may result directly in reentry. Failure of a space tug to 
dock with the cargo would leave the nuclear reactor in low earth orbit. 

Orbital maneuvering to place the space vehicle components in close proximity 
for assembly have the potential for collisions. Collisions may occur between 
the reactor and various components of the transportation vehicles as the 
pieces are maneuvered for assembly. An excursion may occur whenever the 
reactor is damaged, a situation similar to a launch explosion. An inability 
to assemble the entire transportation system package with payload may leave 
the reactor stranded in low earth orbit if the power system cannot be 
recovered. Reentry may occur if the orbit has a short life and the reactor 
altitude cannot be maintained prior to a rescue mission. An inadvertent 
reactor startup command may find the reactor generating heat with the heat 
rejection subsystem not deployed or unable to reject heat to space because the 
power system is inside a payload fairing or other container. In this case, 
the reactor would not have an adequate heat sink which to reject heat. The 
fuel and fission products generated would be released if fuel clad failure 
occurred. Otherwise, the fission products would act as a radiation source 
during reentry and earth impact. Also, an unshielded reactor, i.e., the 
reactor design requires lunar regolith for shielding during operation, may 
produce a hazardous radiation field for any astronauts in the vicinity. 

Operations in low earth orbit will include the handling of propellant 
tanks with large quantities of LOj and LHj. Overpressurization of a 
propellant tank, if fuel transfer is required, or a collision during the 
process of attaching the fuel tanks to the transfer and/or excursion vehicles, 
may result in tank failure as indicated in Table 6-3. A considerable amount 
of activity will involve moving pieces of transfer vehicle components, e.g., 
aerobrake and propellant tanks, and cargo from temporary storage positions to 
the mission vehicle assembly area. This movement of material has the 
potential for a collision with the nuclear reactor power system. Inadvertent 
startup of the reactor is also a potential accident during this mission phase. 

A propellant tank rupture due to the explosion of an unsuccessful 
fueling of the lunar transfer vehicle (LTV) and the lunar excursion vehicle 
(LEV) would produce a field of projectiles. These projectiles may separate 
the nuclear power system from the space station or the transfer/excursion 
vehicle. Astronaut retrieval may follow, assuming the reactor configuration 
subsequent to the accident was subcritical. A critical reactor configuration 
was assumed to lead to an excursion and/or fuel release. A collision of the 
nuclear power system and the various pieces of the transfer and excursion 
vehicles moved about during assembly would likely result in low speed impact 
without an excursion and possibly, reentry if the impact dislodges the reactor 
and it cannot be recovered. Depending upon the power system design, an 
inadvertent startup would result in the reactor overheating since the heat 
rejection subsystem would not be deployed or the reactor would not be integral 
with the rest of the power system. Another serious concern would be the 
exposure of astronauts to the radiation field generated by the reactor. If 


71 



72 


Insertion (Shuttle Derivative) 
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Insertion (Shuttle Derivative) (cont.) 




Insertion (Advanced Launch System) 




Figure 6-6 Slnpllfled Event Tree for the Lunar Mission Phase Low Earth Orbit Space Vehicle Assembly 
Operations 
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Figure 6-6 Simplified Event Tree for the Lunar Hisslon Phase Low Earth Orbit Space Vehicle Assembly - 
Operations (cont.) 





the lunar emplacement scheme is to shield the reactor with lunar materials, 
operation at this time would subject astronauts to an Inadequately shielded 
neutron flux. 


Table 6-3 

Lunar Mission Low Earth Orbit Space Vehicle Assembly Phase 
(Operations) Accidents and Resulting Reactor Environments 


Accident 

Reactor Environment 

Propellant tank failure 

Explosion 

during LTV/LEV fueling 

Projectiles 


Reentry 

Collision 

Impact 


Reentry 

Inadvertent reactor startup 

Inadequate heat sink 


An option for this mission phase is the assembly of the space vehicle at 
Space Station Freedom, Figures 6-7 and 6-8. The potential accidents for this 
option are much the same as for assembly of the space vehicle In low earth 
orbit. The major exception is the maneuvers used to dock with the space 
station. They will replace the maneuvers in low earth orbit to place the 
various components of the payload and transportation system in close proximity 
for assembly. Failure to dock may occur when the space tug attaches to the 
cargo which has been boosted by an expendable launch vehicle or when the space 
tug and cargo or shuttle attempts to dock with Space Station Freedom. For 
this mission phase, the assumption was made that the space tug would not dock 
with the space station but the cargo would be directly attached to the space 
station. The space tug would then separate from the cargo after confirmation 
of cargo attachment to the space station. During any of these docking 
maneuvers, a collision between the cargo and the space tug and/or space 
station may occur. If the cargo and space tug are unable to dock with the 
space station, an alternate procedure would have to be used to retrieve the 
cargo. A similar situation may occur If the space shuttle would fail to dock 
with the space station or the space tug would fail to separate from the cargo 
after docking with the space station. A collision may result in impact with 
the space tug, the space shuttle, or the space station structure. 
Representative accidents for this option are listed In Table 6-4. 

The potential accidents for operations at the space station would be 
quite similar as those for space vehicle assembly in low earth orbit, see 
Table 6-3, but with the addition of potential collisions of the reactor and 
propellant tanks with the space station. There will still be the potential 
for collisions between the reactor and elements of the transportation system. 
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Figure 6-8 Simplified Event Tree for the Lunar Mission Phase Dock With Space Station Freedom (Advanced 
Launch System) 












Table 6-4 

Lunar Mission Dock With Space Station Freedom Phase 
Accidents and Resulting Reactor Environments 

(option) 


Accident 

Reactor Environment 

Space tug failure 

Explosion 

Projectiles 


Reentry 

Orbital Maneuvering 
System failure 

Explosion 

Projectiles 

Reentry 

Docking failure 

Reentry 

Collision 

Impact 

Reentry 

Inadvertent reactor startup 

Inadequate heat sink 


The corresponding simplified event tree Is also shown In Figure 6-6. 

A direct launch to the moon would not Involve any assembly operations In 
low earth orbit. Because of this, the accidents would be limited to 
Inadvertent reactor startup and failure of the lunar transfer vehicle to 
Insert the payload Into the trans-lunar orbit, see Figure 6-9. The resultant 
possible reactor environments may be an Inadequate heat sink, an explosion, 
projectiles, and reentry to earth if the resultant trajectory passes too close 
to the atmosphere. 


Trans-Lunar Orbit Insertion 

Potential accidents during this phase Include a collision of the 
transfer vehicle and cargo with Space Station Freedom after separation. Table 
6-5. Orbit Insertion from low earth orbit not at the space station would not 
have the potential for collision with the space tug used to undock the lunar 
transportation system from the space station. Also, space tug failures during 
orbit maneuvers would be eliminated. The maneuvering by the space tug prior 
to trans-lunar orbit insertion was assumed performed by the lunar 
transportation system. Collision of the transfer vehicle and cargo and the 
jettisoned propellant tanks may also occur after orbit insertion. Such a 
collision was assumed to lead to an explosion, see Figure 6-10. The lunar 
transfer vehicle may fail for such reasons as tank rupture, engine explosion, 
engine failure to ignite or shut down, loss of thrust, or guidance error. A 
failure of the exhausted propellant tanks to separate from the transfer 
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Figure 6-9 Simplified Event Tree for the Lunar Mission Phase Direct Launch To The Moon 



i 

Z 

\ 

I 


i 

t 



I 

8 

i 


83 


Figure 6-9 Simplified Event Tree for the Lunar Mission Phase Direct Launch To The Moon (cont.) 



Table 6-5 

Trans-Lunar Orbit Insertion Phase Accidents and 
Resulting Reactor Environments 


Accident 

Reactor Environment 

Lunar transfer vehicle and space 

Projectiles 

tug failure 

Reentry 

Collision with space tug 

Impact 

Failure of empty propellant 
tank to separate 

Reentry 

Inadvertent reactor startup 

Inadequate heat sink 


vehicle may be a safety problem depending upon contingency plans for such an 
event. If sufficient rocket fuel Is provided for lunar orbit insertion with 
the empty tanks attached, there will be no safety concern. However, if the 
contingency plan is to allow the transfer vehicle to return to earth without 
attempting lunar orbit insertion, the possibility of earth reentry exists. An 
Inadvertent reactor startup command may be issued. 

Collisions may lead to impact of the reactor and/or an explosion. A 
failure of the transfer vehicle and the space tug may result in a projectile 
field due to an explosion followed by reentry. A damaged reactor may result 
In an excursion of the reactor in orbit or during reentry and impact. As 
stated above, a failure to jettison an empty propellant tank(s) may resuU in 
reentry. An operating reactor would pose a hazard to a flight crew. It was 
assumed that the reactor would be sufficiently far from the space station to 
not be a hazard to astronauts at the space station. An operated reactor may 
pose a hazard to the public. If the reactor can be shut down, it may not pose 
a significant problem. If, however, the reactor cannot be shutdown or it 
operates to the point of fuel release, it will pose a hazard to astronauts if 
retrieval is required and to the public if retrieval is not possible and it is 
stranded in low earth orbit. This last safety problem is common to all 
mission phases where the potential for reentry occurs. The reactor itself 
would not be part of a fully assembled and deployed system and, hence, would 
not have an adequate heat sink because it was insulated from space. 
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Figure 6-10 Simplified Event Tree for the Lunar Mission Phases Trans-Lunar Insertion From Space Station 
Fre^om and LEO 
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Figure 6-10 Simplified Event Tree for the Lunar Mission Phases Trans-Lunar Insertion From Space Station 
Freedom and LEO (cont.) 
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Figure 6-1 








Lunar Orbit Insertion 


Failures of the lunar transfer vehicle have been lumped into a single 
accident in Table 6-6. Lunar transfer vehicle failures can include loss of 
thrust, failure to ignite engines, engine explosion, failure of engines to 
shut down, and guidance error. As usual, an inadvertent startup command may 
be received. 

An explosion of the lunar transfer vehicle engines may result in a field 
of projectiles plus rupture of LOj and LHj propellant tanks with additional 


Table 6-6 

Lunar Orbit Insertion Phase Accidents and 
Resulting Reactor Environments 


Accident 

Reactor Environment 

Lunar transfer vehicle failure 

Explosion 


Reentry 


Projectiles 


Impact 

Inadvertent reactor startup 

Inadequate heat sink 


projectiles, see Figure 6-11. As noted previously, a damaged reactor may 
result in fuel release and possibly, an excursion. A failure of the rocket 
engine to ignite or very early loss of thrust may lead to a return to earth 
and reentry if the trans-lunar orbit has a return trajectory intersecting the 
earth. Improper thrust vector control may result in lunar surface impact. 
Impact on the surface of the moon was assumed to result in complete 
destruction of the reactor. The impact, without the benefit of an atmospheric 
drag, would be at high speed, likely much greater than earth reentry terminal 
speed. An inadvertently operating reactor may pose a hazard to a flight crew. 
As previously discussed, the reactor would not be configured for operation and 
would not have an adequate heat sink. 

A direct descent to the lunar surface option would have the potential 
for the same accidents as lunar orbit insertion with the exception of the 
separation of the transfer and excursion vehicles if a single transportation 
vehicle was not used {see Figure 6-12). If the transfer and excursion 
vehicles did not separate, the transportation vehicles and payload may return 
to earth on a flyby trajectory, where the earth return leg of the trans-lunar 
orbit intersects the earth. An explosion of the descent vehicle during 
descent may lead to fuel release or possibly an excursion with the fuel and 
excursion fission products released upon impact with the lunar surface. 
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6-2 


Figure 6-11 Simplified Event Tree for the Lunar Mission Phase Lunar Orbit Insertion 
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Figure 6-11 Simplified Event Tree for the Lunar Mission Phase Lunar Orbit Insertion (cont.) 



Figure 6-12 Simplified Event Tree for the Lunar Mission Phase Direct Descent to Lunar Surface 














Rendezvous With Lunar Excursion Vehicle 


Potential accidents for this phase of the lunar mission are listed in 
Table 6-7. Collisions could occur during the docking maneuver and after the 
lunar transfer and excursion vehicles have separated prior to excursion 
vehicle descent to the lunar surface. Failures to dock, undock, and transfer 
cargo and propellants to the excursion vehicle may not immediately present 
safety problems but, a procedure and the means would be required to recover 
the reactor. An inadvertent reactor startup is possible. 


Table 6-7 

Lunar Mission Rendezvous With LEV Phase Accidents 
and Resulting Reactor Environments 


Accident 

Reactor Environment 

Collision 

Impact 

Explosion 

Projectiles 

Failure to dock or undock 

Stranded in orbit 

Failure to transfer cargo 
or LH 2 /LO 2 

Stranded in orbit 

Inadvertent reactor startup 

Inadequate heat sink 


A collision may result in reactor impact, an explosion, and projectiles. 
Fuel may be released to orbit after a collision and explosion with an 
excursion a possibility. Figure 6-13. The docking, undocking, and cargo or 
LOj and LHj transfer failures would lead to the reactor stranded in orbit. 
Retrieval may or may not be practical. Propellant tank rupture due to an 
unsuccessful propellant transfer from the LTV to the LEV would produce 
projectile fields. An inadvertent startup of the reactor could lead to a 
hazardous radiation field to a flight crew and an overheated nuclear power 
system if it is unable to adequately reject heat because it is inside a 
fairing or other such container. 

Descent To Lunar Surface 

Table 6-8 lists potential accidents and the resulting reactor 
environments for this phase of the lunar mission. A failure of the lunar 
excursion vehicle may occur due to a guidance error, a loss of thrust, a 
descent engine explosion or failure to ignite or re-ignite, or an attitude 
control failure upon landing. Guidance errors, loss of thrust, and attitude 
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Figure 6-13 Simplified Event Tree for the Lunar Mission Phase Rendezvous with Lunar Excursion Vehicle 



Table 6-8 

Descent to Lunar Surface Phase Accidents and 
Resulting Reactor Environments 


Accident 

Reactor Environment 

Lunar excursion vehicle 
failure 

Impact 
Projectiles 
Stranded in orbit 
Burial in regolith 
Explosion 

Inadvertent reactor startup 

Inadequate heat sink 


control failure may lead to impact on the lunar surface with fuel released as 
shown in Figure 6-14. No allowance was made for mitigating circumstances in 
near-surface low-speed impacts. An engine explosion would produce a field of 
projectiles. A damaged reactor was assumed to release fuel with the 
possibility for an excursion. The added notation /A denotes that the reactor 
may also impact the surface of the moon, i.e., the accident is not over. No 
Ignition of the descent engines would leave the reactor stranded in orbit. An 
inadvertent reactor startup would present a radiation hazard to the flight 
crew. The reactor would also be unable to adequately reject heat. Subsequent 
fuel cladding failure was assumed. 

Direct descent to the lunar surface has been discussed previously in the 
mission phase Lunar Orbit Insertion. 

Emol acement 

Accidents during this phase are dependent upon the emplacement scheme. 
Common to the emplacement schemes are the potential accidents dropping the 
reactor to the lunar surface if offloading from the lunar excursion vehicle 
and/or emplacement in an excavation Is required, colliding the reactor with 
other cargo or the lunar excursion vehicle during offloading. Inadvertent 
reactor startup, reactor control failure during startup and test prior to full 
power operation. Not included in the simplified event trees is the 
possibility of excessive emitted radiation due to inadequate shielding 
discovered during a site survey. The assumption was made that proper 
engineering design resulted in adequate shielding. A summary of these 
accidents for the emplacement schemes where the reactor would be emplaced in 
an excavation or surrounded by a berm is shown in Table 6-9. Potential 
accidents for the emplacement schemes where the reactor is left on the surface 
of the moon are also shown in Table 6-9. Impact accidents will be at low 
speeds. 

Low speed impacts will result if the reactor collides with the lunar 
excursion vehicle or is dropped during unloading of the reactor at the landing 


94 



95 


Figure 6-14 Simplified Event Tree for the Lunar Mission Phase Descent to Lunar Surface (After LTV and LEV 
Rendezvous) 













Table 6-9 

Emplacement Phase Accidents and Resulting 
Reactor Environments 


Accident 

Reactor Environment 

Collision 

Impact 

Drop reactor 

Impact 

Control failure 

Excursion 

Inadvertent reactor 

Inadequate heat sink 

startup 


site. The possibility of an excursion was included since a reactor design may 
allow removal of criticality-prevention devices subsequent to arrival on the 
lunar surface which were designed for high speed impacts, see Figure 6-15. 
These same types of accidents may occur at the emplacement site as the reactor 
Is lifted from a lunar surface transport cart and lowered into an excavation 
or Inside a berm enclosure. The power system may require some assembly. 
Subsequent to the assembly of the nuclear reactor power system, a series of 
tests will be performed. Even with no assembly, startup testing will be 
required. A reactor control failure during startup and testing may result in 
an excursion. 

A nuclear power system which turnkey would not be susceptible to most of 
the accidents shown in Table 6-9 and Figure 6-15. 

Operation and Maintenance 

During normal operation, system failures and external events can lead to 
unsafe reactor operating conditions. Depending upon the probability of the 
failure or the event, a reactor may be designed to accommodate the 
consequences of the failure or event. Design basis events were identified in 
the SP-100 program. Accidents related to the failure of the safety functions 
designed to accommodate these events were included in this study. Also 
included as accidents were events leading to unsafe conditions to astronauts 
but not necessarily to a failed power system. Examples would be an 
inadvertent startup of the reactor during maintenance procedures or an 
astronaut Inadvertently contacting live power cables. These failures and 
external events are listed as accidents in Table 6-10. It should be 
recognized that at this time minimal astronaut Involvement with the power 
system is preferred. A turnkey power system which only requires cable hookup 
will eliminate any safety concerns with respect to maintenance or repair. 

Loss of the primary coolant loop fluid or just the loss of flow of the 
primary coolant wil cajse tht power system to be unable to remove heat as it 
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Figure 6-15 Simplified Event Tree for the Lunar Hission Phase Emplacement 



Table 6-10 

Lunar Mission Operation and Maintenance Phase Accidents 
and Resulting Reactor Environments 
(Sheet 1 of 2) 


Accident Reactor Environment 


Loss of coolant 


Loss of flow 


Loss of power conversion 
subsystem 

Loss of heat sink 


Loss of load 


Reactor I&C failures or 
sufficiently degraded state 


Inadequate heat 
rejection path 

Inadequate heat 
rejection path 

Inadequate heat 
rejection path 

Inadequate heat 
rejection path 

Inadequate heat 
removal path 

Excursion or 
shutdown 


Reactor safety subsystem Excursion or 

failures including shutdown 

environmental effects 


Reactor safety subsystem Excursion or 

sufficiently degraded state shutdown 


Exceed fuel temperature limits Degraded operation 

lifetime 


Inadvertent startup during Shutdown’ 

maintenance 


Loss of uninterruptible power Unable to monitor 
(e.g., battery) after shutdown 


Fuel pin failure 


Fission product 
release 


Loss of communications with Uncontrolled by 

habitat/space station/earth external command 
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Table 6-10 

Lunar Mission Operation and Maintenance Phase Accidents 
and Resulting Reactor Environments 
(Sheet 2 of 2) 


Accident 

Reactor Environment 

Excessive positive reactivity 
insertion 

Excursion 

Unplanned negative reactivity 
insertion 

Power-down or 
shutdown 

Loss of power to buses 

Uncontrolled 

Astronaut contact with power 
cables 

N/A 

Meteor impact 

Impact 


1. During maintenance the reactor will be shutdown, but 
the potential exists for astronaut exposure to 
harmful radiation fields. 


Is generated in the reactor core. If the power conversion subsystem or the 
heat rejection subsystem falls to function, a scram condition will exist and 
decay heat will have to be removed. A loss of load would also result in a 
scram condition. 

Failures in the reactor instrumentation and control and in the safety 
subsystems may result in inadvertent positive or negative reactivity 
insertions depending upon system design. Failures can also lead to the 
inability of the system to determine that the system is operating in an unsafe 
condition. Degradation of the instrumentation and control subsystem and the 
safety subsystems can also result in unsafe operation. 

Exceeding fuel temperature limits during operation may not result in a 
hazardous condition at the moment of the event. However, reactor internal 
component degradation may be sufficient to effect component and system 
lifetimes. System design may no longer be adequate to meet predicted 
performance levels and lifetimes. 

Astronauts may have to perform maintenance activities on the nuclear 
power system to meet reliability requirements. Hence, the potential exists 
for astronauts to be exposed to unsafe levels of radiation due to inadvertent 
operation of the reactor should these maintenance tasks require shutdown. A 
highly reliable system would require not maintenance and thus, eliminate this 
concern. 
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After a shutdown command, a power supply will be required to monitor the 
status of the reactor and remove decay heat. A loss of this independent power 
supply may lead to reactor core disruption due to excessive temperatures. It 
will certainly lead to the inability of the astronauts to determine the 
condition of the reactor. A shutdown command could fail to shutdown the 
reactor but trip the power conversion subsystem to the shutdown mode. Without 
power to monitor the status, this condition would not be identified. 

Fuel pin failure would result in the release of fission products into 
the primary coolant. The deposition of the fission products in the primary 
loop could lead to astronaut radiation overexposure during maintenance 
operations at the power production site. 

Loss of communication with the reactor will prevent control of the 
reactor by external commands. 

Excessive positive reactivity insertions will lead to a reactor 
excursion and the destruction of the core. An unplanned negative reactivity 
insertion will result in a loss of power and possibly shutdown. These events 
may occur as a result of system degradation. 

Loss of power to buses will result in loss of safety function and 
possibly, an uncontrolled reactor. 

A meteoroid impact may result in an unsafe impact environment. Meteors 
typically impact at speeds from 1 km/sec to 72 km/sec (Ref. V-3). Damage to 
the reactor may range from small punctures of a coolant loop to complete 
destruction of the power system with subsequent dispersal of the reactor core 
materials. 

The above accidents have been lumped together into the five accidents 
shown in Figure 6-16. Most of the above accidents will result in hazardous 
conditions should reactor control or decay heat removal fail. Fuel cladding 
failure as shown in Figure 6-16 represents fuel pin failure during normal 
operation and not as a result of reactor control failure or a loss of coolant 
accident. Also shown in the figure is the consequences to the habitat of a 
failure of the reactor, loss of power to the habitat. Primary power to the 
habitat will be lost whenever the nuclear power system is shut down. 

Disposal 

Three alternate fuel disposal schemes have been identified: 1) disposal 

in place on the moon, 2) disposal on the moon away from the power production 
area, and 3) insertion into a parabolic escape orbit. Potential accidents for 
these options have been separated and are listed in tabular form. 

The disposal in place option would have the reactor shut down and left 
in place in the power production area. Potential accidents for this disposal 
strategy are listed in Table 6-11. Failure of the reactor to shutdown at end 
of life will result in reactor operation with unpredictable performance. The 
reliability and effectiveness of safety systems and functions would be 
unknown. Failure of the reactor system to provide for permanent shutdown may 
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Figure 6-16 Simplified Event Tree for the Lunar Mission Phase Operation and Maintenance 




Table 6-11 

Disposal In Place Phase Accidents and Resulting Hazards 


Accident 

Hazard 

Failure to shutdown permanently 
at end of life 

Radiation to 
astronaut 

Loss of decay heat removal 

Release of 
fission products 

Unrestricted access to site 

Radiation to 
astronaut 

Containment failure 

Contamination 
of regolith 

Micrometeor impact 

Fission product 
release 


allow an extended period of cycles of low power reactor operation as the 
fission products buildup and decay. This could result in radiation exposure 
during disposal operations, see Figure 6-17. Subsequent to shutdown, decay 
heat must be removed until the heat generation level has sufficiently decayed 
to the point where loss of a decay heat removal system will not lead to breach 
of cladding and the release of fission products. 

Depending upon the emplacement scheme, the reactor may present a 
radiation hazard. An emplacement scheme which uses distance for shielding 
(e.g., an unshielded reactor in a crater) may require distance for shielding 
of the disposed reactor. Unrestricted access to the reactor may result in 
radiation overexposure to an astronaut. 

The reactor will be exposed to the lunar environment for a significantly 
long period of time. Containment may be breached by material failure due to 
interaction with the lunar environment or due to meteor Impact. Fission 
products may be released. 

Disposal on the moon away from the power production area may potentially 
experience the accidents listed in Table 6-12. The accidents and resulting 
hazards are the same as for the disposal in place option with the exception of 
transportation accidents. The reactor may be dropped during handling and the 
transport cart may roll over. These accidents will Involve low speed impacts 
which may lead to fission product release depending upon the condition of the 
reactor, see Figure 6-18. 
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Figure 6-17 Simplified Event Tree for the Lunar Mission Phase Disposal In Place 
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Flyure 6-18 Simplified Event Tree for the Lunar Mission Phase Disposal Away From Power Production Area 











Table 6<12 

Disposal Away From Power Production Area Phase Accidents 

and Resulting Hazards 


Accident 

Hazard 

Failure to shutdown permanently 
at end of life 

Radiation to 
astronaut 

Loss of decay heat removal 

Release of 
fission products 

Drop reactor 

Release of 
fission products 

Transport cart rollover 

Release of 
fission products 

Unrestricted access to site 

Radiation to 
astronaut 

Containment failure 

Contamination 
of regolith 

Meteor impact 

Fission product 
release 


Disposal by means of insertion into a parabolic escape trajectory would 
involve launching the reactor by lunar excursion vehicle. Representative 
accidents are listed in Tables 6-13 and 6-14. In addition to the accidents 
common to the previous disposal strategies, accidents involving the lunar 
excursion vehicle will be possible. Potential accidents associated with the 
separation of the reactor with booster from the lunar excursion vehicle are 
introducGd. Th© booster will add to the luner excursion vehicle accidents and 
consequences • These additional accidents and consequences are lumped with the 
lunar excursion vehicle failure and consequences because the booster was 
assumed to be a similar LO 2 and LH 2 propulsion system. Failure of the lunar 
excursion vehicle and the disposal booster to separate may lead to the 
decision to land the“ lunar excursion vehicle for repair or replacement. A 
return to the lunar surface would introduce the possibility of lunar excursion 
vehicle failures and reactor impact during descent. A condensed version of 
the previous accident and environment table format has been used due to the 
large number of possible accidents and environments. 

The simplified event tree for the option to dispose by parabolic 
trajectory is shown in Figure 6-19. Contrary to previous event trees, an 
explosion of the lunar excursion vehicle at launch from the surface of the 
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Table 6-13 

Disposal by Parabolic Trajectory Phase Accidents 
and Resulting Hazards 


Accident 

Hazard 

Failure to shutdown permanently 

Radiation to 

at end of life 

astronaut 

Loss of decay heat removal 

Release of 
fission products 

Drop reactor 

Release of 
fission products 

Transport cart rollover 

Release of 
fission products 


Table 6-14 

Disposal by Parabolic Trajectory Phase Accidents 
and Resulting Reactor Environments 


Accident 

Reactor Environment 

Lunar excursion vehicle failure 

Impact 

Projectiles 


Explosion 

Collision after separation 

Impact 

Explosion 

Projectiles 

Disposal booster failure 

Projectiles 


Stranded in orbit 


Impact 

-- ^ 

Explosion 


moon was assumed to lead to fission product release regardless of whether a 
reactor excursion occurred or not since the reactor had operated for its 
lifetime. The consequences of impactTngThe surface of the "moon after LEV 
failure would depend on the altitude at the moment of LEV failure. As such, 
allowance was made for an impact without damage to the reactor. 
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Figure 6-19 Simplified Event Tree for the Lunar Hission Phase Disposal by Parabolic Trajectory 
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Figure 6-19 Sinpllfled Event Tree for the Lunar Hisslon Phase Disposal by Parabolic Trajectory (cont.) 





Flqure 6-19 Simplified Event 







6.2 MARTIAN OUTPOST 


Pre-launch 

For the purposes of this study, the accidents and nuclear power system 
environments for this phase of the martian mission has been assumed to be the 
same as the corresponding lunar mission phase, see section 6.1. For purposes 
of brevity, the simplified event tree constructed for this mission phase has 
not been included. The reader may use the corresponding simplified event tree 
for the lunar mission. The same step has been taken for other Mars mission 
phases where the lunar and Mars simplified event trees are indistinguishable. 

Launch to Low Earth Orbit 

For the purposes of this study, the accidents and reactor environments 
for this phase of the martian mission has been assumed to be the same as the 
corresponding lunar mission phase for an expendable launch vehicle, see 
section 6.1. The corresponding simplified event tree is shown in Mgure 6-20. 

Low Earth Orbit Space Vehicle Assembly 

For the purposes of this study, the accidents and reactor environments 
for this phase of the martian mission has been assumed to be the same as the 
corresponding lunar mission phase for an expendable launch vehicle, see 
section 6.1. The corresponding simplified event trees are shown in Figures 6- 
21, 6-22, 6-23 and 6-24. A direct launch to Mars was assumed only with 
chemical rocket propulsion since launch from earth with a nuclear rocket 
propulsion system appears to be unacceptable to the general public. 

Trans-Mars Orbit Insertion 

For the purposes of this study, the accidents and reactor environments 
for this phase of the martian mission has been assumed to be the same as the 
corresponding lunar mission phase for a LO 2 and LHj fueled expendable launch 
vehicle (ALS), see section 6.1. The corresponding simplified event tree for a 
LO 2 /LH 2 propelled transfer vehicle is shown in Figure 6-25. 

Nuclear thermal propulsion will likely involve the use of liquid 
hydrogen as a propellant. Failures of the nuclear thermal booster did not 
include an explosion of the system since there will be no oxygen available in 
the vicinity of the liquid hydrogen. As such, the simplified event tree in 
Figure 6-26 for nuclear thermal propulsion is the same as for chemical 
propulsion with the exception of no explosion of the nuclear propulsion 
system. Failures were limited to guidance failure and Improper thrust. Due 
to the short time the nuclear booster would be thrusting, on the order of tens 
of minutes, guidance failures and incorrect thrust levels have been assumed to 
result in similar circumstances. 

The use of nuclear electric propulsion may eliminate some of the 
potential accidents and resulting environments found with chemical and nuclear 
thermal boosters. Guidance failures and improper thrust levels are treated 
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Figure 6-20 Simplified Event Tree for the Hars Mission Phase Launch to Low Earth Orbit 
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Figure 6-20 Simplified Event Tree for the Mars Mission Phase Launch to Low Earth Orbit (cont.) 










Figure 6-21 Simplified Event Tree for the Mars Mission Phase Low Earth Orbit Space Vehicle Assembly - LEO 
Insertion 
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Figure 6-22 Simplified Event Tree for the Mars Mission Phase Low Earth Orbit Space Vehicle Assembly - 
Operations (cont.) 
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Figure 6-23 Simplified Event Tree for the Mars Mission Phase Dock Mith Space Station Freedom 








Figure 6-24 Simplified Event Tree for the Mars Mission Phase Direct Launch To Mars 
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Figure 6-24 SlR^llfled Event Tree for the Mars Mission Phase Direct Launch to Mars (cont.) 









Figure 6-25 Simplified Event Tree for the Mars Mission Phase Trans-Mars Orbit Insertion 
(By Chemical Rocket) 
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Figure 6-25 Simplified Event Tree for the Mars Mission Phase Trans-Mars Orbit Insertion 
(By Chemical Rocket) (cont.) 
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Figure 6-25 








Figure 6-26 Simplified Event Tree for the Hars Mission Phase Trans-Mars Orbit Insertion 
(By Nuclear Thennal Rocket) 
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Figure 6-26 Simplified Event Tree for the Mars Mission Phase Trans-Mars Orbit Insertion 
(By Nuclear Thermal Rocket) (cont.) 
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Figure 6-26 








differently. The low thrust and long burn times required more readily allow 
remedial action in the event of a failure, see Figure 6-27. It will however, 
introduce the potential for impact on the moon during the lunar flyby assumed 
for this study. 

Mars Orbit Insertion 

Potential accidents for this phase of a mission to Mars are listed in 
Table 6-15. The aerobrakes and the requirement that the Mars transfer and 


Table 6-15 

Mars Orbit Insertion Phase Accidents and Resulting 
Reactor Environments 


Accident 

Reactor Environment 

Failure to separate 

Reentry 

Guidance failure 

Impact 

Aerobrake failure 

Impact 

Collision of transfer and 
excursion vehicles 

Impact 

Projectiles 

Explosion 

Failure of transfer and 
excursion vehicles to 
rendezvous 

Stranded in orbit 

Inadvertent reactor startup 

Inadequate heat 
rejection path 


excursion vehicles separate prior to orbit insertion increase the possibility 
for accidents over that of lunar orbit insertion. The simplified event tree 
for this mission phase where orbit insertion is by aerobrake is shown in 
Mgure 6-28. 

The accident failure to separate was assumed to lead to earth reentry 
due to the return-to-earth flyby trajectory nature of potential trans-Mars 
orbits. Since the design of the excursion vehicle aerobrake is not defined, 
the possibility exists that the excursion vehicle aerobrake would not be 
sufficient for earth orbit insertion and could result in uncontrolled reentry. 

Orbit insertion guidance and aerobrake structural failures could result 
in the excursion vehicle impacting the surface of Mars The atmosphere of 
Mars is very thin compared to that of earth (see Appendix) and thus will not 
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Figure 6-27 Simplified Event Tree for the Mars Mission Phase Trans-Mars Orbit Insertion 
(By Nuclear Electric Propulsion) 
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(By Nuclear Electric Propulsion) (cont.) 
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Figure 6-27 
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Figure 6-27 Simplified Event Tree for the Hars Mission Phase Trans-Mars Orbit Insertion 
(By Nuclear Electric Propulsion) (cont.) 








provide a similar reentry drag environment. An impact on the surface of Mars 
inay result in the complete destruction of the reactor. 

A collision of the transfer and excursion vehicles during the rendezvous 

products would be released in orbit and on the surface of Mars if the reacto 
was to subsequently impact the planet. 

A failure to rendezvous has not been listed as a safety- related . 

arrirtpnt The excursion vehicle could be left in orbit until the next piloted 

ve" ” t «uld be sent to the i..rti.n surf.ce es in en 
SSJed nfgrfliSht. in either esse, the reector would be stored ,n . sefe 
configuration. 

An inadvertent reactor startup is possible with the reactor heat , . 

reiection system not deployed. As stated previously, a radiation hazard would 

£e Irelted for the flight irew. A fission Jearto? oJ 

which may present a hazard to astronauts during emplacement of the reactor on 

the surface of Mars. 

Mars orbit insertion by nuclear 
not be subject to the potential accidents caused by use 
maneuver and the subsequent rendezvous, 6-29. Failures of tne 

nuclear propulsion systems have been limited to guidance and 
cinirkn MDlo^ve source is missing. Resultant trajectories will lead to 
earth reentry if no thrusting occurs and the trans-Mars orbit has a [“eturn leg 
which intersects the earth, surface impact on Mars, and parabolic orbits. 

A direct descent to the surface of Mars would have the J^® 

accidents shown in Figure 6-30. Failures consist primarily 
of the transfer and excursion vehicles 
performance of the descent (excursion) vehicle. 

vehicle is used, separation failure would be precluded. If the transfer ana 
excursion vehicles did not separate, the transportation vehicles and payload 

^etS?n to earth on a flyby trajectory. An explosion of the descent 

vehicle may lead to fuel release and possibly an excursion with 

fuel and fission products released upon impact with the surface of Mars. 

Durina this mission phase the excursion and transfer vehicles would 
rendezvous if such a transport system was used. The simplified event tree for 
this rendezvous is shown in Figure 6-31. The assumption was made that the 
eJeOrHOn “Ohid^wOuld b^fuel^^ with LO^ and LH^. Impact on the surface of 
Mars after an explosion in orbit was assumed not possible since the atmosphere 
of Mars is too thin to adequately slow down the reactor. The potential 
?IaaO? cOnfiOurat!onO aftOr an accident are a safely stowed reactor stranded 
in orbit a damaged reactor releasing fuel and possibly fission products, and 

1 relcior Spe?ating inadvertantly. The ?aht 

contaminate the orbit. An operating reactor may be a hazard to the flight 
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Figure 6-28 Simplified Event Tree for the Mars Mission Phase Mars Orbit Insertion By Aerobralce 
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Figure 6-28 Simplified Event Tree for the Hars Mission Phase Mars Orbit Insertion By Aerobrake (cont.) 
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Figure 6-29 Simplified Event Tree for the Mars Mission Phase Mars Orbit Insertion By Nuclear Propulsion 
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Figure 6-29 Simplified Event Tree for the Hars Hisslon Phase Mars Orbit Insertion By Nuclear Propulsion 
(cont.) 



Figure 6-30 Simplified Event Tree for the Mission Phase Direct Descent to Surface of Mars 
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Figure 6-31 Simplified Event Tree for the Mars Mission Phase Mars Orbit Insertion By Aerobrake 
(MTV/MEV Rendezvous) 





crew if the startup occurs when the excursion and transfer vehicles 
Suched and after crew transfer to the excursion vehic e No such proble^^ 
would occur for a cargo flight. An option on a cargo flight would be to boost 
the excursion vehicle into an escape trajectory. 

Descent to Surface of Mars 

After a successful separation of the Mars transfer and excursion 
vehicles, a guidance error may cause the excursion vehicle to impact the 
surface of Mars, see Table 6-16. Propellant tank ruptures during these 

Table 6-16 

Descent to Surface of Mars Phase Accidents 
and Resulting Reactor Environments 


Accident 

Reactor Environment 

Guidance failure 

Impact 

Aerobrake failure 

Impact 

Descent engine failure 

Impact 

Explosion 

Projectiles 

Inadvertent reactor startup 

Inadequate heat 
rejection path 


accidents may provide a source of projectiles. A damaged reactor may lead to 
fuel release and possibly, a nuclear excursion. The simplified event tree for 
this mission phase is shown in Figure 6-32. A failure of the guidance system 
to initiate descent would strand the reactor in orbit. 

A failure of the aerobrake during descent will likely cause the 
excursion vehicle to tumble out of control. The vehicle may break up. The 
reactor may or may not detach from the excursion vehicle. The end result 
would be impact on the surface of Mars at high speed. The reactor would also 
impact the martian surface should the descent engines fail, e.g., loss of 
thrust, guidance error, and failure to ignite. The transition between 
aerobrake descent and ignition of the descent engines can result in impact on 
the martian surface should the aerobrake fail to properly jettison. In any 
case, surface impact may lead to complete reactor destruction. 

An inadvertent reactor startup is possible with the reactor heat 
rejection system not deployed. Possible resultant events include the 
generation of a hazardous radiation field for the flight crew, the generation 
of fission products which may pose a hazard during emplacement, and fuel 
release. 
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Figure 6-32 Simplified Event Tree for the Mars Mission Phase Descent to Surface of Mars After MEV and MTV 
Rendezvous 




Emol aceinent 

For the purposes of this study, the accidents and reactor environments 
for this phase of the Mars mission has been assumed to be the same as the 
«?r”pondin9 lursr mUsion phase, see section 6.1, except for the effects of 
the martian atmosphere and soil. 

Operation and M aintenance 

For the purposes of this study, the accidents and reactor environments 
for this phase of the Mars mission has been assumed to be the same as the 

corresponding lunar nlsslon phase, see section 6.1, if 

the martian atmosphere and soil. The corresponding simplified event tree is 
showS ^n F?gSrri-33 Note the addition of the effects of the atwsphere to 
the list of accidents. 

Disposal 

For the purposes of this study, the accidents and reactor environments 
for this phase of the Mars mission has been assumed to be the same as the 
corresponding lunar mission phase, see section 6.1, except for the effects of 
the martian atmosphere and soil. Figure 6-34 contains the simplified event 
tree for this mission phase option. 

6.3 SUMMARY 

A preliminary identification of safety issues can now be performed. 
Events and nuclear power system responses to events defined m the event trees 
which have the potential to leave the reactor in an unsafe configuration are 
safety issues. An example would be the environment of Mars. 

Operation and Maintenance and disposal phases of a mission 
and fission product barriers, reactor vessel and fuel - 

breached by the constituents of the martian environment leading to the release 
of fuel and fission products. The identification is preliminary because the 
event trees and accident environments are characterized qualitativel^y. The 
next iteration on this assessment process would be the evaluation of data 
available to describe accident environments and the generation of data tor 
occurrence probabilities. Should reactor response be shown to leave the 
reactor in a safe condition or the occurrence probability be sufficiently 
small to produce very small contribution to the overa^ mission risk, the 
safety issue would be eliminated. The potential accidents and reactor 
responses identified in this chapter may not necessarily lead to a safety 
issue which must impact design. A risk assessment is required to put these 
potential accidents and hazards in perspective, including non-nuclear and 
space environment risks. 
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Figure 6-34 Simplified Event Tree for the Mars Mission Phase Disposal by Parabolic Trajectory 
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Figure 6-34 Simplified Event Tree for the Mars Mission Phase Disposal by Parabolic Trajectory (cont.) 
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Figure 6-34 Simplified Event Tree for the Mars Mission Phase Disposal by Parabolic Trajectory (cont.) 









7.0 SAFETY ISSUES 


A summary of the safety issues identified in the SP-100 program is found 
in Table 7-1. These safety issues are relevant to missions to the moon and 
Mars with the possible exception of space debris in low earth orbit. The 
amount of time spent in low earth orbit will be significantly less than for 
proposed SP-100 missions. Whether this will result in an insignificant space 
debris risk must be determined. An examination of the simplified event trees 
developed in evaluating potential accident scenarios in the preceding chapter 
reveals that these safety issues are common to the Space Exploration 
Initiative missions. These issues have been clearly defined in the SP-100 
safety program (Refs. V-4 and V-5) and will not be discussed here. 


Table 7-1 

Compilation of SP-100 Program Safety Issues 


Hazard to launch vehicle 

Criticality in launch vehicle explosion environments 

Criticality in water and/or soil 

Criticality after reentry and secondary impacts 

Toxicity from dispersal of released hazardous materials 

Reentry dispersal of fuel and fission products 

Space debris penetration of primary coolant boundary 

Inadvertent startup and reactivity insertion 

Shutdown capability at any time 

Fission product release during normal operation 

Reactor power control 

Loss of coolant, flow, and heat sink 

Loss of load 

Final shutdown 

Decay heat removal 

Loss of communication 

Loss of safety functioi 
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Safety issues which have been identified in addition to those mentioned 
above for the SP-100 program are listed in Table 7-2. The ^ ^ 
reflect the results of any estimation of the hazard level. Each of these 


Table 7-2 

Safety Issues Derived From Missions to the Moon 

and Mars 


Criticality after transfer and excursion vehicle 
explosions 

High voltage power cables’ 

Loss of power to habitat' 

Radiation emitted during operation and maintenance 
(if any) 

Mars environment 

High speed impact on the moon and Mars 

Return flyby trajectories 

Disposal after operation on planet 

Outpost contamination from released fission 
products 

Reactor stranded in orbit 


Not normally considered a nuclear safety issue 


safety issues was identified as a result of the analyses reported in chapter 
6. The following discussion presents the safety issues identified as a result 
of the preliminary hazards analysis, the results of which were presented in 
the preceding chapter. 

Criticality is a safety concern following explosions. Projectiles 
produced in an explosion in the vacuum of space present a similar potential 
for reactor damage as for shrapnel generated by launch vehicles. The 
magnitude of the shrapnel environment from explosions of the transfer and 
excursion vehicles is unknown due to the absence of detailed designs. 

However, a significant amount of LH 2 and LOj will be aboard the transport 
vehicles. If propellant tanks with common bulkheads are used, failure of the 
bulkhead separating the propellants would result in a confined-by-missile 
explosion. Tank rupture dua to excessive tank pressure during propellant 
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transfer from transfer vehicle to reusable excursion vehicle, if used, may 
also produce a hazardous source of projectiles. A reactor excursion would 
produce a radiation field hazardous to a flight crew or Space Station Freedom 
astronauts. It would likely damage the reactor sufficiently that an 
occurrence in low earth orbit or on a trajectory that will allow a return to 
earth after a mission abort prior to moon or Mars orbit insertion may be 
hazardous to the population of earth. 

Power cables on the surface of the moon and Mars will present a safety 
hazard to the astronauts. Contact may result in electrocution. Additionally, 
power may be loss to the habitat(s). Any loss of power to the habitat(s) is 
life threatening without some means to provide emergency backup power. Life 
support systems and thermal management will require power to maintain 
conditions conducive to the survival of the astronauts. Short term solutions 
such as EMUs may be used, but long term solutions will require power or the 
base will have to be abandoned. An emergency power system may be required to 
maintain the excursion vehicle in a launch ready condition for subsequent base 
abandonment. 

The radiation field external to a reactor produced during operation will 
be a hazard to astronauts on the surface of the planet. Some method of 
shielding will be required, whether it be separation distance or physical 
barrier or some combination of the two. Shielding studies have been performed 
to attempt to determine the optimum configuration. However, astronaut dose 
limit requirements have not been properly defined. Both exposure period and 
dose plane location have been subject to considerable variability. Astronaut 
movement and time spent at a location have not been factored into shielding 
studies in sufficient detail. Astronauts will be involved in many activities 
which have the potential to expose them to reactor generated radiation fields, 
e.g., occupation of the habitat, activities about the habitat area, and 
maintenance in the vicinity of the power production area. Also, additional 
sources of man-made radiation such as mobile radioisotope power sources have 
not been factored into reactor shielding studies. Finally, dose limits which 
have previously been defined have been prescribed for different periods of 
time. A shield design based upon a 30 day mission will be inadequate for long 
terra missions such as the 600 day Mars preparatory mission. The shield should 
be designed for the longest expected mission to avoid the need for any 
retrofit action. 

Shielding of the reactor to provide protection to the astronauts 
introduces a safety concern from Table 7-1 which had been solved previously in 
the SP-100 program. Reactor control for SP-100 is by external reflectors. 

The relatively large neutron leakage of a compact reactor in space allows for 
this simple, efficient control method. The placement of shielding material 
close around the reactor will, however, diminish the worth of the reflectors 
surrounding the reactor. Neutron scattering from the shielding material back 
into the reactor may render the reference flight system reflector control 
design inadequate. 

The Mars environment is highly corrosive to refractory materials (see 
Appendix A). Containment of fuel and fission products must be maintained. 
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Missions to the moon and Mars have the potential for high speed surface 
impact as noted in chapter 6. Impact will be at high speed due to the lack of 
any atmosphere sufficient to reduce velocity by drag forces. Planetary 
approach velocities which may reach several km/sec, see Figure 7-1. 
impact speeds have been estimated at 269 m/sec for the SP-100 (Ref. V-4). 

This is an order or magnitude smaller than typical Mars approach speeds. 
Additionally, the lack of an atmosphere on the moon and the low density of the 
atmosphere on Mars will not provide the vehicle breakup common to reentry on 

earth. 


Once the transport vehicle has been successfully inserted into the 
trans-lunar or trans-Mars orbits, risk to the general population does not 
reduce to zero. In the interests of providing the safest mission profile for 
flight crews, missions will likely have transfer vehicle flight trajectories 
which will allow planet flyby and return to earth should a mission be aborted. 
The reactor may be returned to low earth orbit. The issue of the capability 
of the returning spacecraft to safely achieve low earth orbit with cargo 
attached has not been investigated. The transfer vehicle propulsion system 
may not be designed for full cargo return. 

Fuel and fission product containment will be an important safety 
consideration during planet surface operation and as a factor in the choice of 
disposal strategy. Depending upon the amount and type of astronaut activity 
in the vicinity of the power production area on the moon, surface 
contamination due to a breach of fission product containment may result in 
contamination of the habitat. An astronaut traversing a contaminated area may 
carry radioactive particles back to the habitat on his EMU. The Mars 
environment adds a new dimension to these safety issues. The surface winds 
will entrain fission products and disperse them. Additionally, the harsh 
environment of Mars will necessitate substantially greater fuel and fission 
containment barrier requirements over that required for the moon. 

To avoid overlooking a possible safety issue, the circumstance where a 
reactor is stranded in orbit has been noted. A reactor may be stranded If' 
orbit around the earth, the moon or Mars. If a reactor stranded in low earth 
orbit cannot be recovered, reentry will occur. This is an obvious hazard to 
the general population. SP-100 has overcome this hazard by not operating the 
reactor until it is in the operating orbit and by designing the reactor to 
impact earth intact after the inadvertent reentry. A reactor stranded in 
orbit around the moon or Mars will not pose a threat to the general 
population, but may pose a threat to subsequent flight crews. The potential 
will exist for an inadvertent rendezvous and collision since the reactor will 
likely be in an orbit used for subsequent missions to the same planetary 
outpost. A collision may result in damage to the reactor which is sufficient 
to produce a nuclear excursion. The resulting radiation field would be 
hazardous to surviving astronauts. 
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Figure 7-1 Mars Approach Velocity as a Function of Launch Opportun 
(Ref. VII-1) 


8.0 SAFETY ISSUE RESOLUTION 


8.1 SP-100 PROGRAM SAFETY ISSUE RESOLUTION 


Resolution approaches taken in the SP-100 program are listed in Table 8- 
1 by safety issue. No further comments will be presented since . 
has^a well established safety program (Refs, V-4 and V-5) which has documented 
this information in many sources. 


Table 8-1 

SP-100 Program Safety Issue Resolution Approaches 
(Sheet 1 of 6) 


Safety Issue 


Resolution 


Hazard to launch vehicle 


Criticality in launch 
vehicle explosion 
environments 


Primary coolant lithium solid at launch 

Insignificant fission product inventory at 

launch , ^ . 

Latches and locks on reflectors, safety rods, 
gas separators, TEH pumps, power converters, 
and radiator panels 

Encryption and decryption startup command 
sequence 

Monitor inhibits while in payload bay 

Category 1 hazardous functions identified and 
inhibited 

Category 2 hazardous functions to be identified 
in flight program 

Reflector and safety rod drives without power 
during launch 

Fracture control program to be implemented for 
beryllium 

Automatic shutdown springs used to keep 
reflectors and safety rods in safe shutdown 
positions while the reactor is in the launch 
vehicle 

The design is required to meet stress corrosion 
cracking requirements 

Latches and locks on safety rods to restrict rod 
movement relative to fuel 

Core subcritical with full compaction 

Honeycomb core structure 

Weak link in actuator mechanism at shield to 
maintain safety rod integrity and alignment 

High temperature materials PWC-11(2741K) 
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Table 8-1 

SP-100 Program Safety Issue Resolution Approaches 
(Sheet 2 of 6) 


Safety Issue 


Resolution 


Criticality in water 
and/or soil 


Criticality after reentry 
and secondary impacts 


Toxicity from dispersal 
of released hazardous 
materials 


Reentry dispersal of fuel 
and fission products 


Rhenium poison provides thermal neutron 
absorption 

Latches and locks on safety rods to restrict rod 
movement relative to fuel 
Adequate negative reactivity in safety rods to 
ensure subcritical configuration 
Reentry heat shield provides predictable water 
entry orientation 

Honeycomb core structure and reactor vessel 
prevents fuel spreading 
Weak link in actuator mechanism at shield to 
maintain safety rod integrity and alignment 

Latches and locks on safety rods to restrict rod 
movement relative to fuel during reentry and 
impact 

Adequate negative reactivity in safety rods to 
ensure subcritical configuration 
Honeycomb core structure prevents fuel pin 
spreading on impact 

Reentry shield assures impact orientation and 
temperature control 

Reentry shield protects against oxidation 
during reentry 

Small amount of core buckling and crushing 
helps prevent safety rods dislodging from 
core during impact and burial 
Honeycomb supported by fuel pins prevents 
disruption of core by solid rocket booster 
fragments 

Lithium coolant solid at launch 
High temperature materials used UN(3123K), 
Be0(2803K),PWC-ll(2741K) 

Fracture control program for beryllium 

Reentry shield protects against heat fluxes, 
oxidation and aerodynamic loads 
Insignificant fission product inventory at 
at launch 

Bonded fuel cladding 
Fission gas plenum for each fuel pin 
High temperature materials PWC-11(274]K) 
and carbon-carbon (reentry shield) 
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Table 8-1 

SP-100 Program Safety Issue Resolution Approaches 
(Sheet 3 of 6) 


Safety Issue 


Resolution 


Space debris penetration 
of primary coolant 
boundary 


Inadvertent startup and 
reactivity insertion 


Shutdown capability 


Fission product release 
during normal operation 


Primary coolant lithium solid prior to 

startup j u * 

Auxilisiry coolant loop to roinovo docay neat 
in event primary heat transport loop 
is inadequate 

Beryllium shield over primary coolant loop 
piping where exposed to debris „ttt 

Damage assessment per NASA SP-8042 (Ref. VIII-1) 


Latches and locks on safety rods and 
refl ectors 

Two independent means (safety rods and 
reflectors) to maintain subcriticality 
Rods locked in core prior to startup 
Reflectors locked out prior to startup 
Actuators not powered prior to startup, 
no power to clutches, and no power to 
energize brakes 

Command required to operate actuators 
Three independent inhibits, one of which 
precludes startup by RF energy 
Shutdown springs load safety rods and 
reflectors to least reactive positions 
Controller software to meet NSTS fault 
tolerance requirements 
Control elements (reflectors and rods) are 
moved away from and out of the core 
individually and incrementally in a pre- 
programmed manner to prevent a rapid 
reactivity insertion 

Encryption and decryption devices and command 
sequence 

Inadvertent startup Inhibits monitored 


Two independent means of shutdown (safety rods 
and reflectors) 

Redundancy in safety rods and reflectors 


Bonded fuel cladding 

Gas plenum within each fuel pin 


153 



Table 8-1 

SP-100 Program Safety Issue Resolution Approaches 
(Sheet 4 of 6) 


Safety Issue 


Resolution 


Reactor power control Negative void, temperature, and power 

reactivity feedback coefficients 
Two independent shutdown means (safety rods 
and reflectors) 

Redundancy in safety rods and reflectors 
Control elements (safety rods and reflectors) 
moved individually and incrementally, maximum 
reactivity insertion limited to 1.5%/n>inute 
power increase 

Redundant sensors for temperature, pressure and 
primary coolant flow 

Redundant temperature sensors per primary 
coolant loop 

Diverse thermocouples and Johnson noise sensors 
Design basis accidents studied to identify 
operating conditions requiring shutdown or 
power reduction 

Safety rod position limit switches to confirm 
location 

Reflector continuous position indicators 
Control system diagnostics to detect 
malfunction to change control sequencing 
Control system diagnostics prior to shutdown 
to reduce likelihood of spurious scram 
Control system diagnostics after shutdown to 
determine if autonomous restart appropriate, 
battery power will monitor safety systems 
up to 1.5 hour after shutdown 
Shutdown springs move safety rods and reflectors 
to shutdown position upon loss of power to the 
actuators 
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Table 8-1 

SP-100 Program Safety Issue Resolution Approaches 
(Sheet 5 of 6) 


Safety Issue 


Resolution 


Loss of coolant, flow, 
and heat sink 


Loss of load 


Final shutdown 


Auxiliary coolant loop removes decay heat in the 
event the primary heat transport loop is 
inadequate 

Design basis accidents requiring shutdown 
Two independent means of shutdown with 
redundancy 

High temperature materials PWC-11(2741K), 
UN(3123K) , ^ ^ 

Beryllium shield over primary coolant loop 
piping where exposed to space debris 
TEM pumps used for passive, automatic decay heat 
removal 

Redundant reactor outlet temperature sensors per 
primary coolant loop 

Diverse thermocouples and Johnson noise sensors 
Redundant system pressure sensors initiate 
shutdown upon loss of pressure 
Diverse methods of decay heat removal with 
primary coolant loop and auxiliary coolant 

loop ^ . 

Redundancy with multiple primary and secondary 
coolant loops in primary heat transport system 
Primary heat transport coolant leaks detected by 
pressure sensors 

Auxiliary coolant loop leaks detected by 
pressure differential 

Parasitic shunt 

Design basis event requiring power reduction 
at shunt failure 

Two independent and diverse methods of shutdown 
(safety rods and reflectors) 

Redundancy in safety rods and reflectors 
Automatic at end-of-mission 

Uses independent clock with shutdown time preset 
at launch and not resettable 
Clock powered by critical loads bus 
Single fault tolerant 

Battery power for restart limited to a few hours 
Irreversibly interrupt power supply to reflector 
and safety rod clutches 
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Table 8-1 

SP-100 Program Safety Issue Resolution Approaches 
(Sheet 6 of 6) 


Safety Issue 

Resolution 

Decay heat removal 

Diverse methods of decay heat removal with 
primary coolant loop and auxiliary coolant 
loop 

Redundancy with multiple primary and secondary 
coolant loops in primary heat transport system 

Loss of communication 

Design basis event requiring shutdown after time 
limit exceeded 

Loss of safety function 

Design basis event requiring shutdown 


8.2 RECOMMENDED NEW SAFETY ISSUE RESOLUTIONS 

The following discussion is restricted to resolution approaches 
identified for mission phases and aspects of mission phases not previously 
covered by low earth orbit operation applications of reactors in previous 
safety assessments, especially the SP-100 safety program. The safety issues 
addressed are those in Table 7-2. 

Criticality After Vehicle Explosions 

An explosion in space is always a possibility when using chemical 
propulsion (Ref. VIII-2). An explosion of significance requires propellant 
and oxidizer to mix and pool. Propellant and oxidizer tanks must rupture 
together and the time and means to mix and pool must be provided. 

Furthermore, an ignition source is required. This simultaneous rupturing 
could occur due to collisions between orbiting vehicles, collisions between 
the vehicle and the space station structure, or projectiles emanating from an 
exploding rocket engine. 

Not all tank ruptures will lead to an explosion; as mentioned 
previously, mixing, pooling, and an ignition source are required. Due to the 
lack of design data, the possibility exists that the LHj and LOj may be 
configured in the excursion and transfer vehicle tanks in the same manner as 
in a Centaur, i.e., LHj and LOj in a tank separated by a common bulkhead. A 
projectile from an exploded rocket engine could impact one compartment of the 
tank causing a collapse of the common bulkhead resulting in the mixing and 
pooling necessary to allow an explosion. The explosion fragments may provide 
the ignition source. Even with ignition, the mixture may only burn 
vigorously. The Centaur confined-by-missile mode of explosion from the 1985 
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Galileo and Ulysses Final Safety Analysis Report (Ref. VIII-3) is an example. 
Should the LH, and LO 2 be contained in separate tanks, an explosion of 
consequence is unlikely, since the means to mix and pool are ^ 2 ^ 4 . 

external source of oxygen (e.g., the atmosphere) is The thr ^ 

from Space Shuttle external tank explosions was considered ml after 150,000 

ft for this reason (Ref. V-2). 

Projectiles, fragments and shrapnel, will be produced due to explosions 
of rocket engines and propellant tank ruptures. Not all tank ruptures, 
however! will result in projectiles. The majority of the prepurized tanks in 
the Shuttle Orbiter are made of titanium (Ti-6A1-4V). These tanks 
fail due to overpressure by splitting open and relieving pressure. 
not fragment, but generally split apart in hemispheres. Projectile 
will also be attenuated by intervening structure. Projectile environments 
will be heavily dependent upon the materials and structures used in the 
transfer and excursion vehicles. 

The SP-100 is being designed to remain subcritical during launch 
accidents by providing sufficient negative reactivity and the structural 
capability to retain this negative reactivity. Neutron absorber rods will be 
locked into place inside the reactor core at launch to be removed only upon 
the startup command. These rods have been designed to keep the reactor core 
subcritical under all postulated reactor configurations resulting from 
exDlosions, projectiles, fragments, and shrapnel. Hydrocode analyses by 
General Electric (Ref. I-l) have been performed to verify the rods will remain 
in the reactor core during the explosion environments resulting from failures 
of the space shuttle. Nuclear reactor accommodation of the explosion 
environments possible during any phase of the moon and Mars 1)°^ 

known at this time due to the lack of sufficient design detail 
transfer, and excursion vehicles. The use of an expendable launch vehicle may 
eliminate solid rocket motor casing fragments as a safety concern since the 
reactor should be located above any fragment field generated in an explosion 
of the launch vehicle. 

Radiation Emitted During Operation and Maintenance 

Radiation exposure control during operation and maintenance will involve 
shielding, distance, and time wherever practical. The particular radiation 
exposure limits for astronauts has not been clearly defined. 

The National Council on Radiation Protection has published guidelines in 
NCRP Report No. 98 (Ref. IV-1). These guidelines are listed in Tables 8-2 and 
8-3. Annual dose is limited to 50 rem with a 30 day limit of 25 Jf®**** The 
career dose limit is dependent upon sex and first-mission age of the 
astronaut. These career limits are based upon a lifetime excess risk of 
cancer mortality of 3 percent. 

Radiation exposure controls for astronauts need to include the effects 
of all sources of natural and man-made radiation, both stationary and mobile. 
Past shielding studies for stationary (Refs. IV-3 and IV-4) and J®. 

VIII-4) systems have ignored the presence of sources of man-made radiation in 
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Table 8-2 

National Council on Radiation Protection Guidelines for 
Exposure of Spaceflight Crewmembers to All Sources 
of Radiation (Ref. IV-2) 

Time Period 

Blood Forming Organs 


(mSv) 

30 days 

250 

Annual 

500 

Career 

See Table 8-3 


Table 8-3 

National Council on Radiation Protection Guidelines for Career Mholebody Dose- 
Equivalent Limits Based on a Lifetime Excess Risk of Cancer Mortality of 

3 percent (Ref. IV-2) 


Age (years) 

Female (Sv) 

Male (Sv) 

25 

1.0 

1.5 

35 

1.75 

2.5 

45 

2.5 

3.2 

55 

3.0 

4.0 


addition to the reactor. This is primarily due to the lack of information on 
the complimentary surface power system. An allocation of exposure to natural 
and man-made radiation is required. An analysis must be performed of 
potential astronaut activity on the surface of the moon and Mars to 
characterize the potential for exposure of the astronauts to man-made 
radiation sources. Time and distance estimates are required. From this 
characterization, an optimum dose limit allocation between mobile and 
stationary man-made radiation sources can be made. 

The characterization of astronaut activities for the purpose of dose 
limit allocations must include all potential missions. A dose limit based 
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upon a 30 day astronaut stay will result in astronaut overexposure during the 
600 day lunar mission dress rehearsal for the missions to Mars. Dose jiniits 
should be based upon the longest potential astronaut stay expected during the 
lifetime of the nuclear reactor surface power system. 

Dose limits have not been suggested based upon a realistic and complete 
set of dose plane locations. Dose limits for man-made radiation emanating 
from surface nuclear reactors have been proposed for the habitat area at 
various distances from the power production area (e.g., 1 and 5 km), at 
arbitrary distances, and at the innermost point of the radiator panels. 
Shielding requirements for lunar surface operations of mobile DIPS units have 
been investigated and the results reported in Reference VIII-4 where 
separation distance and exposure time control were used for an unpressurized 
manned/robotic rover. No allowance was made for man-made radiation from 
surface nuclear reactors and exposure limits were based upon balances 
estimated as shown in Table 8-4. 


Table 8-4 

Radiation Exposure to Astronauts on Moon (Ref. VIII-4) 


Sources of Radiation 


Mission Lenoth (davs)’ 


30 

90 

180 

365 

600 

Natural sources 

1. Earth-moon-earth 

4.3 

4.3 

4.3 

4.3 

4.3 

2. Lunar surface 

1.0 

3.2 

6.6 

13.3 

22.0 

3. Solar particle event 

1.2 

1.2 

1.2 

2.4 

4.0 

(10 gm/cm shield) 

Total dose 

6.5 

8.7 

12.1 

20.0 

30.3 

NCRP-98 guidelines 

25.0 

50.0 

50.0 

50.0 

100.0 

Dose balance (rem/mission) 

18.5 

41.3 

37.9 

30.0 

69.7 


’Mission length includes 4 days for round trip to moon. 


Proper sizing and comparison of shielding alternatives will require the 
allocation of dose limits at prescribed locations. Various astronaut 
activities will require them to perform duties at the habitat area, at the 
launch/landing site, at the soil processing plant, and at locations away from 
th© outpost which will roquir© tr©v©l outsid© the protection of th© habitat on 
surface rovers. A shadow shield to protect the astronauts at the habitat may 
not provide any protection at other locations. A total dose limit must be 
recognized as the summation of the doses acquired from the various locations 
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astronauts will be performing their duties. Also, dose limits should be 
separated into nominal and emergency limits. A nominal limit should reflect 
the diversity of duties required of each individual astronaut, not necessarily 
the worst case exposure compiled from all astronaut duties. Emergency limits 
should be set to reflect the availability of an excursion vehicle for outpost 
abandonment in addition to the consequences to the astronauts of power system 
failure. 

Mars Environment 

In addition to the COj atmosphere, the martian soil has been found to 
contain oxidants, see Appendix A. The martian soil is periodically entrained 
and suspended in the atmosphere by surface winds. Also, H 2 SO 4 and HCl 
aerosols are believed to be present in the wind blown dust. Reactor materials 
will be required to withstand the COj atmosphere and these oxidants and acids 
during operation and for long term storage if final disposal is on the surface 
of Mars. 

The Reference Flight System SP-100 uses refractory metals due to the 
high temperatures required for operation within design constraints of mass and 
payload envelope. These materials are not compatible with long term operation 
and disposal on the surface of Mars. This problem is well known and has been 
identified previously (Ref. IV-3). Current efforts to investigate 
environniGntal effects on SP-100 refractory materials is limited to low earth 
orbit conditions, e.g., meteoroids, debris, atomic oxygen, and plasma (Ref. 
VIII-5). Research is required for material compatibility with the martian 
environment. Coatings such as silicide for refractory metals need to be 
investigated for long term reliability. Reactor designs using alternate 
materials, such as stainless steel, which operate at lower temperatures and 
are compatible with the martian environment need to be considered. Isolation 
of the refractory materials from the martian environment should be 
investigated as a potential solution. The refractory metals could be encased 
in a vessel which supports a vacuum or inert atmosphere between the outside 
vessel and the inner refractory materials, e.g., encase the primary coolant 
loop piping in a stainless steel tubing with a vacuum between them. 

High Speed Impact on the Moon and Mars 

Both high and low speed impacts are possible during a flight to the moon 
or Mars. Low speed impacts involve such diverse accidents as dropping the 
reactor on the lunar and martian surfaces; planet surface transportation cart 
rollover; handling accidents at planet orbit rendezvous and on the surface of 
the planet; and low speed collisions during orbital maneuvers in low earth 
orbit. High speed impacts are possible during a flight to the moon or Mars. 
High speed impacts on the lunar and Mars surfaces may occur during moon/Mars 
orbit insertion and descent to the surface. They may also occur during 
launch from the earth and upon return to the earth should the space vehicle 
fail to orbit the moon or Mars and return to the earth. The issue of a return 
to earth without orbiting the moon or Mars is discussed below under the safety 
issue of return flyby trajectories. An additional possibility for lunar 
surface impact may occur if nuclear electric propulsion is used and the trans- 
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lunar orbit requires a gravity assist flyby of the mpo.n. 

Impact speeds may be as high as planet approach velocities, 2 to 7 km/s 
(7 to 23 kft/s) for Mars (Figure 7-1), since the moon has no atmosphere and 
Mars has too little atmosphere to adequately slow down the spacecraft. The 
reactor is unlikely to survive such an impact on the moon or Mars. The SP-100 
reactor is being designed to survive a 269 m/s impact on pavement grade 
concrete. The risk to the mission from this type of accident will have to be 
estimated taking into account flight path angle, incoming velocity, the 
aerobrakes. Guidance system failures should be the dominate risk contributor. 
Highly reliable transfer vehicle guidance systems will minimize risk. The 
TGactor must be designsd to survive earth reentry so that the risk to the 
general population is insignificant. 

The nuclear power system will not be operated until it is emplaced on 
the surface of the moon or Mars. This will .minimize the radioactivity 
inventory. 

An environmental hazard would be meteoroid impact. An impact analysis 
needs to be performed to determine the minimum meteor mass required as a 
function of velocity to penetrate the fuel cladding. With this mass, the risk 
can be estimated from this high speed impact source for comparison with other 
mission risks to determine the need for any extra precautions. 

Return Fl vbv Trajectories 

Flights to the moon and Mars are likely to use trans-lunar and trans- 
mars trajectories which will allow return to earth should the space vehicle 
propulsion system fail to function for orbit insertion. This type of 
trajectory would be failsafe. If a failure in the propulsion system used for 
orbit insertion around the moon or Mars is detected during the trans-lunar or 
trans-Mars trajectory phase of the mission or the system fails to operate when 
commanded, a return flyby trajectory would allow the space vehicle to return 
to earth with little or no additional thrusting for retrieval of astronauts 
and cargo. The propulsion system may be either chemical or nuclear. The term 
return flyby trajectory has been used to denote a trajectory from the earth to 
the moon or Mars which would not require a significant thrust at the moon or 
Mars to insert the space vehicle into a trajectory which will return the space 
vehicle to the earth. The returning space vehicle would contain the original 
cargo, including the surface power system reactor. The potential exists for 
the returning space vehicle to reenter the earth's atmosphere should the 
propulsion system failure preclude an earth avoidance maneuver. Reactor earth 
reentry survival in a subcritical configuration will have to be guaranteed so 
that the risk to the general population is insignificant. 

The preferred resolution to reduce the risk to the general population to 
an insignificant level would be ejection of the nuclear reactor at some time 
in the return flyby trajectory when such an action poses very little threat to 
the general population. This would be the most likely means of reducing the 
threat since a return flyby trajectory would probably call for ejection of the 
cargo and unused propellant since transfer vehicles do not appear to be 
designed for insertion into low earth orbit with such a large mass. It is not 
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clear that the propulsion system for the SEI space vehicles would be capable 
of earth orbit insertion with the full cargo. The return trajectory should 
have a perigee altitude of at least 1000 km in case ejection of the reactor 
fails. If ejection of the reactor is not possible, the transfer vehicles 
would have to be designed to accommodate this mission abort scenario. The 
transfer vehicle would have to be designed so that the aerobrake, or the 
attached excursion vehicle, could safely insert the spacecraft into orbit 
about the earth. The particular flight maneuvers associated with earth orbit 
insertion should be chosen to minimize risk to the general population. 

Because the reactor will not be operated until it is emplaced on the surface 
of the moon or Mars, mission risk will not be aggravated by a fission product 
inventory. The safety issue of a nuclear propulsion system as part of this 
returning space vehicle was not addressed since it was outside the scope of 
this task. 

Disposal After Operation on Planet 

The problem of safe disposal of the used nuclear reactor core is a 
complex issue. The problem involves fuel and fission product containment, 
radiation exposure and diversion. 

Three disposal schemes have been proposed: 1) storage in place, 2) 

storage away from the power production area, and 3) insertion into a parabolic 
trajectory. Of the three, disposal by insertion into a parabolic trajectory 
will involve launching the used reactor core from the surface of the moon and 
Mars. Disposal by parabolic trajectory from the moon and Mars has the 
potential for accidents during launch from the planet surface and boost from 
orbit around the planet. These accidents may leave the planet surface or the 
orbit contaminated. An unplanned retrieval from orbit will create 
circumstances for additional accidents and significant radiation exposure to 
astronauts if their presence is required. 

Disposal by launching the used reactor core to a nuclear safe orbit 
about the moon or Mars (not one of the preferred disposal schemes) would 
result in the used reactor presenting a hazard for future flights. Boost to a 
nuclear safe orbit from low earth operating orbits has always been desirable 
in other missions, e.g., SP-100 and Multi megawatt, since it minimizes the risk 
to the public and the cost of disposal. As previously mentioned, launches 
from the moon and Mars will involve the potential for contamination of the 
planet surface after a launch accident. 

Lunar and Mars surface disposal, i.e., storage in place or away from the 
power production area, eliminates the hazards associated with schemes that 
require launching from the planet surface for disposal. However, the 
environmental safety concerns become important for long periods of time. 
Storage by these means will require fission product containment for hundreds 
of years. During long storage times, provisions must be made to restrict 
access to the storage areas to avoid overexposure to the radiation. These 
provisions must be viable for the time required to either allow for 
radioactive decay to reduce the radiation hazard to acceptable levels or until 
a safer method of disposal can be found. Markers may have to be employed to 
prevent losing track of the disposal site over hundreds of years. 
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Any method of surface storage of the used nuclear reactor fuel would be 
dependent upon the need to remove the used core from the power production area 
for such purposes as reusing portions of the existing power system versus the 
ability to safely remove the used core without overexposing the astronauts or 
contaminating the environment while removing the spent fuel. This issue has 
been considered should the decision be made in the future to require the 
removal of the reactor from the vicinity of the base. A commitment to 
permanent human occupation of the lunar surface may require removal of the 
used reactors from the base area to avoid clustering these radioactive sources 
around the base. Spent fuel removal could be accomplished by means of robots 
to prevent astronaut exposure. Should the use of robots to remove the fuel 
fail» remedial efforts may be required; these should minimize astronaut 
exposure. Spent reactor fuel stored on Mars would be required to withstand 
the martian environment for many years. A risk assessment must be performed 
to assist in determining which disposal scheme is best. The disposal strategy 
must have minimum astronaut interaction and adequate long term safe storage 
with minimum risk. 

Outpost Contamination 

Accidents on the surface of the moon and Mars may result in the release 
of fission products. Contamination of the surface may result in contamination 
of the habitats. Astronauts may walk through a contaminated area and carry 
the fission products to the habitat on the extravehicular mobility unit. 
Containment of the fission products on the surface of Mars will be further 
complicated by the martian winds. A reactor containment/guard vessel is 
recommended . 

Reactor Stranded in Orbit 

The Space Exploration Initiative mission profiles will increase the 
number of potential accidents in low earth orbit which may lead to inadvertent 
reentry above that for previous SP-100 mission profiles. However, most of the 
new accidents will not introduce any new reentry environment that has not been 
identified in the SP-100 program. Those accidents which strand an undamaged 
reactor in earth orbit may result in the reactor entering the atmosphere under 
conditions for which the SP-100 reactor is currently being designed. A 
damaged reactor, however, has the potential to release fuel during inadvertent 
reentry and earth impact (Ref. VIII-1). A risk assessment (Ref. VIII-1) has 
been performed of potential SP-100 missions involving the inadvertent reentry 
of a damaged reactor. The risk was found to be low. A new reactor would have 
to be analyzed and tested as the SP-100 has been, and as a flight qualified 
SP-100 would have to be. 

A reactor stranded in orbit about the moon or Mars will not pose a risk 
to the population of the earth. However, it may pose a hazard to future 
flights which require insertion into the same orbit to descend to the outpost. 
The hazard associated with an intact reactor orbiting about the moon or Mars 
may be insignificant or easily resolved by tracking. A damaged reactor which 
is part of a debris field resulting from an accident may pose a hazard of 
significance. A reactor which has undergone an excursion may add a 
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radioactive element to the hazard. The risk to a mission of a reactor 
stranded in orbit about the moon or Mars is expected to be low because 
transfer vehicle designs will maximize the chances for astronaut survival and 
this design philosophy will reduce the probability for a reactor stranded in 
orbit. An analysis needs to be performed to validate that the risk to a 
mission of a nuclear reactor, damaged or not, stranded in orbit about the moon 
or Mars is low. 

Although the following safety issues are not usually considered nuclear 
system safety issues, they have been included for completeness. Astronaut 
contact with the high voltage power cables and the loss of power to the 
habitat life support systems threaten the lives of the astronauts. As part of 
the total power system design, including power distribution and backup for 
critical life support systems, these issues are discussed below. 

High Voltage Power Cables 

One option for the distribution of power from the nuclear reactor to the 
various areas of the outpost is cable placed above ground. Whether this cable 
is placed on the surface or suspended above the surface, it will be a safety 
hazard to the astronauts. Either physical barriers or proximity warning 
systems should be used to protect the astronauts. Possible methods to protect 
the astronauts would be suspending the cable high enough to allow any vehicle 
to pass safely below, posting warning signs and beacons along the length of 
the cable, developing a warning system installed in EMUs which would alert the 
astronaut to the presence of the cables, and restricting access to areas in 
the outpost by physical barriers and the establishment of pathways to be used 
within the outpost area. There is likely a very large number of solutions to 
this safety hazard, a combination of some of which will provide safe working 
conditions without a significant mass penalty. 

Loss of Power to Habitat 

This issue is not normally considered a nuclear safety issue. It has 
been included here because it does have an impact on the safety of the 
astronauts. The following discussion will have some application to any 
central power system used on the moon and Mars. 

In all cases where the nuclear reactor is shutdown due to a failure and 
in some cases where power is reduced, the habitat will not have sufficient 
power to maintain life support systems. It is the responsibility of the power 
system designer to prevent a power system response which will place the 
astronauts in a life threatening situation. An uninterruptible power source 
must be provided which will maintain minimum life support capabilities. 

Habitat power requirements in the case of nuclear reactor shutdown or 
power-down will be time dependent based upon the response of the habitat life 
support systems to a loss of power. Power requirements iiwnediately after loss 
of power may be very small, only that needed to provide lighting and energy to 
open and close airlocks so that astronauts will be able to exit the habitat to 
obtain other sources of power that are available to replace the nuclear 
reactor until it is repaired or the outpost is abandoned. An analysis must be 
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performed to identify the power needs of systems after a nuclear reactor power 
system shutdown or power reduction. 

The solution to this safety hazard will require the mix of stationary 
and mobile surface power systems be coordinated. Safety requirements will 
certainly demand all systems meet specific availability goals. ^ 

may result in a set of mobile power source units always located at the outpost 
within specified distances from the habitat. Photovoltaic power sources may 
supplant mobile power sources during the lunar day. 

A reliability, availability, and maintainability (RAM) analysis is 
required of all surface power systems (including extravehicular mobility 
units) with respect to meeting the life support requirements ^e 
astronauts. These life support requirements would include maintenance of the 
excursion vehicle to provide the astronauts the option to abandon the outpost. 
The goals of the RAM analysis must be consistent with the purpose of the 
outpost and the restrictions placed upon any emergency options due to the 
remoteness of the outpost from earth and the harsh environment in which the 
outpost exists. 

Reactors designed for low earth orbit applications are typically 
required to meet reliability goals. Reliability goals are used for systems 
which are not repairable. The nuclear reactor power system for the moon and 
Mars may have some degree of repairability. Also, the availability of power 
to the astronauts is most important. As such, it would seem that an 
availability goal is more appropriate. A nuclear power system should be 
designed with an availability goal(s) for power to sustain life . 

systems and other vital power consumers as a part of a total power management 
and distribution system of stationary and mobile power sources. A RAM 
analysis is advised. 

8.3 SP-100 RESOLUTIONS REVISITED 

The missions postulated for the SP-100 Reference Flight System have been 
in orbit about the earth without the presence of astronauts. The use of an 
SP-100 as a power source on the surface of the moon and Mars requires pe 
reactor power system to be man- rated and be subject to a new set of potential 
accident environments and operating conditions. This section contains a 
discussion of the results of a cursory examination of the safety issue 
resolution approaches and design features used in the SP-100 Reference Flight 
System in light of the new missions. 

Launch Aborts 

Larger launch vehicles have been proposed for the lunar and Mars 
missions. When sufficient design details are forth coming, data 
characterizing the environments resulting from launch vehicle failures will 
have to be generated and compiled in the same manner as has been done for the 
Space Shuttle (Ref. VIII-6) and the Titan IV (Ref. VIII-7). These new 
environments and failure rates will then be used to design the nuclear reactor 
to survive these environments as has been done for the Galileo spacecraft 
(Ref. V-2) and will be accomplished for the SP-100. 
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Diversion 

The safety issue of diversion has been previously covered in the SP-100 
program. Additional potential diversion conditions would result from 
inadvertent reentries due to unsuccessful flights to the moon and Mars where 
the nuclear reactor would return to earth on safe return flyby trajectories. 

As discussed above concerning return flyby trajectories, this safety issue 
could be solved by ejection of the reactor into space away from the earth. 

Decay Heat Removal 

The SP-100 Reference Flight System uses the primary coolant loop and the 
auxiliary coolant loop systems to remove decay heat from the reactor core 
after shutdown. The auxiliary coolant loop system consists of bayonet tubes 
inside the reactor core in which coolant is pumped by TEM pumps to a radiator 
where the heat is rejected to space. The primary coolant loops also use TEM 
pumps. These systems have been designed for operation in zero-g space. 

A steady state analysis (Ref. VIII-8) was performed to determine the 
feasibility of designing a primary heat transport loop with the capability of 
removing reactor decay heat by natural convection. The study was based upon a 
2.36 MW, SP-100 reactor operating on the lunar surface with either a Brayton 
or a Stirling power conversion subsystem. The reactor-to-Stirl ing heat 
exchanger was assumed to have properties similar to that of the Brayton heat 
exchanger. Two flat linear induction pumps were assumed in series in the 
single loop. Figures 8-1 and 8-2 illustrate the temperature differences 
developed across the reactor as a function pipe height and diameter. Figure 
8-1 presents results of the analysis at one second after shutdown and Figure 
8-2 presents similar results for 50 seconds after shutdown. Temperature 
differences were on the order of 100 C to 200 C for a configuration of 6 m 
from reactor to heat exchanger with 8 cm diameter pipe. Thus, excessive 
temperatures would not occur if the reactor design used natural convection in 
the primary coolant loop should the secondary heat transfer loop fail to 
provide a heat sink. A transient analysis is required to confirm that reactor 
temperatures are not excessive. 

A potential method to accommodate a loss of coolant accident is 
containment of the primary coolant loop inside a guard vessel. When the 
primary loop fails, the escaping coolant would be contained within the guard 
vessel. The guard vessel would be designed so that the captured coolant would 
cover the reactor and decay heat would be rejected by heat pipes or radiator 
attached to the guard vessel wall or by direct radiation. A cursory steady 
state thermal analysis was performed to determine the temperature drop from 
the reactor to the guard vessel for a lunar application. The break in the 
primary loop was assumed to have occurred so that the coolant levels inside 
the guard vessel and inside the reactor primary loop were the same. The 
resulting temperature drop was on the order of 950 to 1000 ®F. Only 
conduction heat transfer was assumed since analysis had indicated that natural 
convection heat transfer was doubtful. However, the analysis indicated that 
it is possible to remove the decay heat by boiling. Provided the pressure 
inside the guard ve'^sel c?n be kept close to the martian atmospheric pressure, 
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the lithium saturation temperature of 1156 K (corresponding to maximum 
atmospheric pressure) would be well below the normal operating temperature of 
the reactor. A transient analysis is required to estimate peak fuel cladding 
temperatures to verify this method of accommodating a loss of coolant 
accident. Should this method be found adequate, an auxiliary coolant loop 
system such as used on SP-100 would not be used. 

Gas Management 

To remove the threat of uncovering the reactor core due to gas formation 
inside the primary coolant, a gas separator/accumulator has been used for SP- 
100. This should be eliminated in favor of a conventional expansion tank 
similar to those used for terrestrial reactors. This will take advantage of 
the effects of gravity and yield a more reliable system. 

Reactor Control 

Reactor control with BeO reflectors may not be adequate for a man-rated 
reactor. Leakage out the reactor may be significantly reduced by a man-rated 
shield in close proximity to the reactor. Poison backed reflectors may be 
required to reduce the backscattering produced by the shield. An analysis 
with benchmark testing is required. 

Currently, the possibility of astronauts performing maintenance or 
repair activities is remote. As such, consideration should not be given to a 
reactor design which allows for replacement and maintenance of reflectors, 
safety rods, and reflector and rod drive mechanisms. 

Power to monitor reactor status and restart the reactor after shutdown 
for the SP-100 reactor is provided by battery for a very short period of time, 
on the order of a few hours. This may not be sufficient for reactor 
applications on the moon and Mars if system diagnosis is to be perfoi^ed and 
some repair work is to also be performed. A much longer period of time will 
be required for diagnosis and repair in addition to startup. To minimize the 
chances for astronaut overexposure during repair activities after shutdown, an 
uninterruptible power supply to the nuclear power system monitoring and safety 
systems should be provided. This power supply may consist of batteries for 
the short period of time required to locate and move a mobile power source to 
the reactor site. A RAM analysis would determine power source requirements 
based upon the mean-times-to-diagnosis and -repair the reactor failures. A 
nuclear reactor power system without the possibility of repair would eliminate 
this safety issue. However, the ability to monitor a failed system until a 
safe shutdown has been accomplished would be wise. 

The conventional approach to regulating the electric load demand for an 
unattended space nuclear power system is to employ a shunt resistor between 
the power system and the load. This method requires the reactor operate at 
full thermal power at all times. The difference between the power output of 
the power system and the load is rejected into space as heat. Unnecessary 
fuel burnup results if the load demand is lower than the power produced. 
However, the shunt is required if the integrated power system is not 
inherently load following. A study (Ref. VIII-9) of the integrated SP-100 
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thermoelectric converter power system has shown that the power system may not 
be load following at all demand levels. For any region where the power system 
would not be load following, a shunt regulator could be employed. There have 
been studies suggesting the use of active feedback controllers (Refs. VIII-10 
and VIII-11). The design of such control systems are In the conceptual stage. 
A dynamic power conversion system designed to be load following is suggested 
to eliminate this problem. 

Inadvertent Startup 

Inadvertent startup of the reactor Is currently prevented by locking 
safety rods Inside the reactor core and reflectors In the least reactive 
position. To move these rods and reflectors, a coded command sequence is 
required to power the rod and reflector actuators. For SEI applications, 
inadvertent startup should be prevented by using a key lock mechanism which 
requires an astronaut or robot to initiate startup. This mechanism could be 
similar to those used on the SNAP and SP-100 programs at launch. 

End of Life Shutdown 

End-of-life shutdown is a safety issue because a nuclear reactor that 
fails to shutdown may preclude access to the power production site to emplace 
a replacement reactor or to remove the reactor for disposal away from the 
power production area. Final shutdown should be accomplished by a clock 
mechanism which will activate at a preset time set prior to operation. This 
preset time must not be resettable. The clock mechanism must be single fault 
tolerant. It must operate independently of the reactor operating mode or the 
power conversion subsystem operation. It must also irreversibly interrupt the 
power supply to the reactor control drives, both safety rods and reflectors. 

Availability 

Reactors designed for low earth orbit applications are typically 
required to meet reliability goals. Because reliability and safety are so 
closely related, some discussion is necessary concerning reliability goals and 
their applicability to planet surface reactor power systems for manned 
missions. Reliability goals are used for systems which are not repairable. 

The fuicl6ar rBactor pow 0 r system for the moon and Mars may have some degree of 
repairability. Also, the availability of power to the astronauts is most 
important. As such, it would seem that an availability goal is more 
appropriate. A nuclear power system should be designed with an availability 
goal(s) for power to sustain life support systems and other vital power 
consumers as a part of a total power management and distribution system of 
stationary and mobile power sources. 


170 


9.0 REFERENCES 


I-l "SP-100 Reference Flight System System Design Review." General 
Electric. May 1988. 

III-l Cohen, Aaron. "Report of the 90-Day Study on Human Exploration of the 
Moon and Mars (Advance Copy)," NASA, November 1989. 

III-2 Heaver, D. "Lunar Evolution Case Study," MASE, July 1989. 

III-3 McDaniel, G. Inhouse ETO, Presented at the Human Exploration 

Initiative Status Review Meeting, NASA, George C. Marshall Space 
Flight Center, February 28, 1990. 

III-4 "Lunar/Mars Outpost: Interim Review #1," Martin Marietta, December 

14, 1989. 

III-5 Cothran, B., and J. McGhee. "Space Transfer Concepts and Analysis for 
Exploration Missions." The Boeing Company. NASA Contract NAS8-37857, 
Presented at the Nuclear Propulsion Workshop, Pasadena, CA, 

June 19-22, 1990. 

III- 6 Sumrall, P. "MTV/MEV Overview," Presented at the Human Exploration 

Initiative Status Review Meeting, NASA, George C. Marshall Space 
Flight Center, February 28, 1990. 

IV- 1 "Guidance on Radiation Received in Space Activities." U. S. NCRP. 

Report No. 98, July 1989. 

IV-2 Bloomfield, H. S. "Overview of NASA Radiation Exposure Limit 

Guidelines for Spaceflight Crewmembers," NASA LeRC, presented at the 
36th annual meeting of the American Astronautical Society, Los 
Angeles, CA, November 3, 1989. 

IV-3 Bloomfield, H. S. "Small Reactor Power Systems for Manned Planetary 
Surface Bases." NASA LeRC. Technical Memorandum 100223, December, 
1987. 

IV- 4 Mason, L. S., H. S. Bloomfield, and D. C. Hainley. "SP-100 Power 

System Conceptual Design for Lunar Base Applications." NASA LeRC. 
Technical Memorandum 102090, January 1989. 

V- 1 O'Handley, Douglas. "Exploration Back to the Moon, to Mars, to the 

Stars," presented at the 36th annual meeting of the American 
Astronautical Society, Los Angeles, CA, November 3, 1989. 

V-2 "Final Safety Analysis Report for the Galileo Mission." U. S. DOE. 
Contract Number DE-AC01-79ET32Q43, December 1988. 


171 



V-3 "DIPS Conceptual Design Safety Assessment," Rockwell International, 
Rocketdyne Division. Report DIPS-0029-00, DOE Contract No. 
DE-AC01-88NE32129, 1988. 

V-4 "SP-100 Reference Flight System, System Design Review." General 

Electric. May 1988. 

V- 5 "SP-100 Program Industry Briefing." General Electric. July 1990. 

VI- 1 "Meteoroid Damage Assessment." NASA. Report SP-8042, May 1970. 

VII- 1 "Exploration Back to the Moon, to Mars, to the Stars." Rockwell 

International, Satellite Systems Division, 1989. 

VIII- 1 Bertram, B. W., and A. Weitzberg. "Radiological Risk Analysis of 

Potential SP-100 Space Mission Scenarios." NUS Corp. Report No. 5125, 
U. S. DOE Contract DE-AC01-88NE32135, August 1988. 

VIII-2 Buden, D. "Mars Mission Safety", Aerospace America . June 1989. 

VIII-3 "Final Safety Analysis Report for the Galileo Mission and the Ulysses 
Mission." U. S. DOE. GESP 7200, DOE Contract DE-AC01-79ET32043, 
October 1985. 

VlII-4 Keshishian, V. "DIPS Radiation Shielding," Rockwell International, 
Rocketdyne Division, Report EID-00087, March 1990. 

VIII-5 Ferguson, D. C., and J. M. Winter. "The SP-100 GES and CSTI High 

Capacity Power Space Environmental Effects Program." Proceedings of 
the Seventh Symposium on Space Nuclear Power Systems, Albuquerque, NM, 
January 7-10, 1990. 

VIII-6 "Space Shuttle Data for Planetary Mission Radioisotope Thermoelectric 
Generator (RTG) Safety Analysis." NASA. Report NSTS 08116 (Rev. B), 
September 1988. 

VIII-7 "Titan IV Radioisotope Thermoelectric Generator (RTG) Safety 
Databook." NASA LeRC, March 1989. 

VIII-8 Johnson, G. A. Internal Letter to R. B. Harty, "SP-100 Lunar Surface 
Natural Circulation Decay Heat Removal," Rockwell International, 
Rocketdyne Division, August 6, 1990. 

VIII-9 El-Genk, M. S., J. T. Seo, and J. J. Buksa. "Load-Following and 

Reliability Studies of an Integrated SP-100 System." J. Propulsion . 
Vol. 4(2), March-April 1988. 

VIII-10 Metzger, J. D., M. S. El-Genk, and A. G. Parlos. "Application of a 
Model -Reference Adaptive Controller to Ensure Load-Following of an 
SP-100 Type Space-Nuclear Power System." Proceedings of the Seventh 
Symposium on Space Nuclear Power Systems Albuquerque, NM, January 
7-10, 1990. 


172 



VIII-11 Parlos, A. G., and S. K. Menon. "Design of a Nonlinear Controller For 
Rapid Power Level Changes in Nuclear Systems." Proceedings of the 
Seventh Symposium on Space Nuclear Power Systems, Albuquerque, NM, 
January 7-10, 1990 


173 



APPENDIX A 

LUNAR AND HARTIAN ENVIRONNENTS 
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To accomplish a safety issue identification, it is necessary to predict 
power system response to the environments to which it will be exposed. 
section contains a brief summary of the lunar and martian environments. The 
information presented was taken from References A-1 and A-2. 

Moon 


The atmospheric density measured during the Apollo program indicated a 
surface nighttime value of 2 x 10® molecules/cm’, approximately sixteen orders 
of magnitude less than earth standard. Lunar atmosphere composition is listed 
in Table 1. 


Table 1 

Lunar Atmosphere (Ref. A-1) 


Gas 

Day 

Concentration 

(molecules/cm*) 

Night 

Hj 

< 6 X 

10^ < 4 X 10^ 

He 

2 X 

10® 4 X 10* 

Ne 

- 

< 10® 

Ar 

- 

< 3 X 10® 


The surface of the moon has two major regions, maria with vast plains of 
basaltic lava flows and the highlands. The surface of the moon is strongly 
fragmented. This mantle, the regolith, consists of shocked fragments of 
rocks, minerals, and glass spherules formed by meteor impact. The maria 
regolith varies from 3 to 16 meters thick and the highlands have a regolith 
depth of at least 10 meters. The typical composition of the regolith is shown 
in Table 2 with a few physical properties listed in Table 3. 

Meteor impact rate per cm^ is believed to be between 1.1 and 50 craters 
per million years for craters greater than 500 )[/m. The micrometeoroid flux 
for the lunar surface has been estimated to be modeled by the following: 

Log N - - 14.64 - 1.584 Log m - 0.063 (Log m)^ 10’^* gm ^ m ^ 10® gm 

and 

Log N « - 14.671 - 1.213 Log m, 10* gm ^ m ^ 1 gm. 
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Table 2 

Regolith Chemistry (Ref. A-1) 


Compound 

Weight % 

SiOj 

44.5 

AI 2 O 3 

26.0 

TiOj 

0.39 

FeO 

5.77 

MgO 

8.06 

CaO 

14.9 

NasO 

0.25 


0.06 


Table 3 

Lunar Regolith Physical Properties (Ref. A-1) 


Parameter 


Nominal Value 

Thermal Conductivity 
Thermal Inertia (cm^- 

(cal/sec-cm-K) 

1 - 2.8 X 10® 

sec’'^K/cal) 

400 - 1000 

Specific Heat (cal/gm-K) 

0.20 

Emissivity 


0.9 - 1.0 


It has been postulated that meteoroid impacts will result in the ejection of 
lunar material up to an altitude of 30 km. An average annual individual 
cumulative lunar ejecta flux-mass distribution over three ranges of the ejecta 
velocity, V^, is described by 


Log 

Log 

Log 


10.79 - 1.2 Log m, 0 s ^ 0.1 km/sec, 

11.88 - 1.2 Log m, 0.1 :S ^ 0.25 km/sec, 


13.41 - 1.2 Log m, 0.25 ^ 1.0 km/sec, 


where 


■ number of ejecta particles of mass m or greater per m^-sec, 
m - particle mass (gm), 



- particle velocity (km/sec). 


Figure 1 shows a model of the lunar surface temperature as a function of 
thermal inertia. A thermal inertia value of 800 cm -sec -K/cal appears to 
best fit data taken at the lunar equator. 

mi 


Key physical properties of Mars are listed in Table 4. The composition 
of the martian atmosphere is mostly carbon dioxide as shown in Table 5. Wind 


Table 4 

Key Physical Properties of Mars (Ref. A-2) 


Surface Temperature (K) 

130-300 

Insolation; Average Surface 
at Equator (kW/m^) 

0.18 

Surface Pressure (mbar) 

6-15 

Water Vapor (//bar) 

0.13 

Surface Wind Speed (m/sec) 

2-7 


Table 5 

Martian Atmosphere (Ref. A-2) 


GdS 

Mole Percent 

C 02 

95.3 

N2 

2.7 

Ar 

1.6 

02 

0.13 

H,0 

0.03 

CO 

0.07 

Ne 

2.5 ppm 

Kr 

0.3 ppm 

Xe 

0.08 ppm 

O3 

0.03 ppm 


driven dust layers are only centimeters or less thick. Data have indicated 
wind speeds up to 30 m/sec at the surface. Atmospheric dust is characterized 
in Table 6. The martian atmosphere is believed to be saturated with water 
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FigurG 1 Lunar Equatorial Temperature as a Function of Time and 
Thermal Inertia (Ref. A-1). 
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vapor at night. Frost was found at the Viking landing sites. 


Table 6 

Martian Atmospheric Dust (Ref. A-2) 


Dust Concentration 

10 ppm 

Dust Column Loading 

0.001 gm/cm*' 

(during storm) 


Air Column Loading 

20 gm/cm 

Mean Dust Particle Size 

2.5 //m 


Models for the martian atmosphere are shown in Figures 2 and 3. Mean 
low and high pressures are plotted in Figure 2. The density model couples the 
cool temperature model with the low pressure model and the warm temperature 
model with the high pressure model. The cool, low pressure model would best 
r 6 pr 6 S 6 nt th 6 atmosphGre in lat© north©rn sunwiBr dt 3 latitud© of 45 dcgroGS. 
The warm, high pressure model represents early southern summer at a latitude 
of 25 degrees. Figure 4 shows the surface daily mean pressure as a function 
of time over one martian year (687 days) at the two Viking landing sites. The 
scale labeled L, represents the aerocentric longitude of the Sun. Pressures 
and deviations are in millibar. Diurnal temperatures observed at the two 
Viking landing sites over a period of one sol (24.46 hr) varied from 180 K to 
240 K. 

Estimates have been made of the soil composition of the martian surface 
and are shown in Table 7. The sum of the compounds does not equal 1.0 due to 


Table 7 

Composition of Martian Soil (Ref. A-2) 


Compound 

Weight % 

SiOj 

44.7 

AI 2 O 3 

5.7 

F®203 

18.2 

MgO 

8.3 

CaO 

5.6 

K ,0 

<0.3 

TiO 

0.9 

SO 3 

7.7 

Cl 

0.7 
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Figure 2 Martian Atmospheric Pressure (Ref. A-2). 
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Figure 3 Martian Atmospheric Density (Ref. A-2). 


PHESSURE to 



Figure 4 Martian Surface Pressure Variation Over One Martian Year 
(Ref. A-2). 
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the inability of the Viking 1 lander to detect elements with atomic numbers 
less than 12 (phosphorus). Mechanical properties are shown in Table 8. 


Table 8 

Mechanical Properties of Martian Soil (Ref. A-2) 


Parameter 

Nominal Value 

Thermal Conductivity (cal/sec-cm-K) 
Thermal Inertia (cm^-sec’^-K/cal ) 
Specific Heat (cal/gm-K) 

Emissivity 
A1 bedo 

Bulk Density (gm/cm ) 

Penetration Resistance (N/cm /cm) 
Adhesion (N/cm^) 

Density (gm/cm®) 

2 - 20 X 10 ® 
100 - 600 
0.15 - 0.19 
0.9 - 0.98 
0.2 - 0.4 
1 - 1.8 
0.01 - 0.1 
10* - 10® 
3.933 


Surface materials contain absorbed water (1%) and carbon dioxide (50 - 100 
DPmi. Liquid water cannot exist on the martian surface. Evidence points to a 
permafrost layer varying from 1 km at the equator to several * 

poles. Within 40 degrees of the equator the ground is dehydrated to a depth 

of at least one meter. 

Oxidants have been found in the martian soil. Experiments on the Viking 
landers indicated that oxidizing compounds such as peroxides and superoxides 
are present in the martian soil which is periodically suspended in the 
atmosphere by the wind. Additionally, the presence of H2SO4 and HCl aerosols 
in the wind blown dust have been indicated. 
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